JP4331186B2 - Model checking information generation apparatus and program - Google Patents

Description

  The present invention relates to a model checking information generating apparatus and a program such as a monitoring automaton generating apparatus for model checking of a real time process related to a behavior verification technique using design information of the real time process.

  In the real-time system field and the embedded system field in which the behavior is determined based on the time when the event occurs, or there are restrictions and required specifications regarding the operation time of the system, it is important and difficult to verify the behavior. Typical systems in such a field include a communication protocol system via a network and a cooperative operation system using a plurality of robots.

  Therefore, in the fields as described above, model checking technology is often used for behavior verification. A typical model checking tool that can be verified in terms of time constraints and performance is “UPPAAL” developed jointly by Uppsala University in Sweden and Alborg University in Denmark. “UPPAAL” can describe a parallel operation model of an extended time automaton with general data such as logical variables and integer variables added to the time automaton. The model check function verifies the invariance and reachability of the behavior. A tool that can be done. “UPPAAL” has a feature that the description of the model is simple because the state transition model of the system can be drawn by GUI.

  By the way, in general system design processes in the real-time system field and embedded system field, state transition tables, state transition diagrams (state charts), sequence charts, timing charts, etc. are created. It is necessary to add time information to the state transition diagram without omission and to create a verification expression describing the property to be verified. Of these, the task of adding detailed time information to the state transition diagram is an essential task in the design refinement process and has been performed by designers in the past. It is a technology-specific task that is nearly impossible for most designers.

  On the other hand, in Non-Patent Document 1, a state transition that monitors the system behavior defined by a state transition diagram called an observer is generated from a sequence chart, and the behavior is verified by combining this observer with a simple verification formula. A technique has been proposed.

“Timed Sequence Diagrams and Tool-Based Analysis A Case Study”, Thomas Firley, Michaela Huhn, Karsten Diethers, Thomas Gehrke, and Ursula Goltz,

  However, the technique proposed in Non-Patent Document 1 has some problems that do not correspond to the actual design process.

  First, the sequence chart may include a time declaration as an example of behavior in addition to a case where a time constraint as a required specification is described, but it is proposed in Non-Patent Document 1. However, there is a problem that only a time constraint as a requirement specification is supported.

  Secondly, the sequence chart created at the design stage is a part of the system behavior expressed by the state transition diagram, and many such sequence charts are created. In such a method, there is a problem that a plurality of sequence charts cannot be handled effectively.

  Thirdly, in model checking, a behavior is defined by a state transition diagram for each real-time process, and is composed of a plurality of state transition diagrams. The behavior of a plurality of components is also described in the sequence chart. However, there is a problem that the method proposed in the above-mentioned method targets a single state transition diagram for a single system element.

  The present invention has been made in view of the above, and an object of the present invention is to provide a model checking information generation device and a program that allow a designer who is not familiar with model checking to easily use a model checking tool. To do.

  In order to solve the above-mentioned problems and achieve the object, the present invention includes a state transition diagram of a real-time process including time information and a part of the behavior of the real-time process expressed by the state transition diagram and includes a time request. A model checking information generating apparatus for generating a modified version state transition diagram, an observer, and a verification formula necessary for model checking of the real-time process based on a sequence chart, the state transition diagram of the real-time process and the sequence Based on the chart, for each transition of the state transition diagram of the real-time process, a broadcast communication channel that is a one-to-many communication with a name composed of an action name at the transition source location and an action name at the transition destination location is added And a transmission interface to the broadcast communication channel. A transition extraction event insertion unit that adds the event to the state transition diagram as a process in the transition to generate the modified version state transition diagram and can notify the state transition history of the real-time process, and the state transition diagram; Based on the sequence chart, the two processes for processing the reception of the broadcast communication channel composed of a location corresponding to each action on the sequence chart and two consecutive action names on the sequence chart An observer generating unit configured to generate the observer whose state transitions in response to the state transition history of the real-time process notified through the broadcast communication channel, the transition between the locations corresponding to the action name And the observer generated by the observer generating means And a verification equation generating means for generating the verification equation describing the properties to be verified based on the process of chromatography server.

  In addition, the present invention is necessary for the model check of the real-time process based on the state transition diagram of the real-time process including time information and the sequence chart including a time request that is a part of the real-time process represented by the state transition diagram. A program for causing a computer to execute a process for generating a modified version state transition diagram, an observer, and a verification formula, each of the state transition diagrams of the real-time process based on the state transition diagram and the sequence chart of the real-time process A broadcast communication channel that is a one-to-many communication consisting of an action name at the transition source location and an action name at the transition destination location is additionally defined with respect to the transition, and a transmission event to the transition channel is defined as the transition The state transition as processing in In addition to the diagram, the modified version state transition diagram is generated, the transition extraction event insertion function that enables notification of the state transition history of each real-time process, and the sequence based on the state transition diagram and the sequence chart Between the locations corresponding to the two action names for processing the reception of the broadcast communication channel composed of a location corresponding to each action on the chart and two consecutive action names on the sequence chart The observer generation function for generating the observer whose state transitions in response to the state transition history of each real-time process notified via the broadcast communication channel, and generated by this observer generation function Properties to be verified based on the observed observer process A verification equation generating function for generating describing the verification equation, the causes the computer to perform.

  According to the present invention, the designer does not create a verification formula necessary for model checking, and does not affect the original software model by using a broadcast communication channel that is one-to-many communication. Necessary for model checking to verify whether the requirements (time specification, time declaration) described in multiple sequence charts created in the actual design process are satisfied by the prepared state transition design As such information is automatically generated, there is an effect that a designer who is not familiar with model checking can easily use the model checking tool.

  Exemplary embodiments of a model checking information generating apparatus and a program according to the present invention will be explained below in detail with reference to the accompanying drawings.

[First Embodiment]
A first embodiment of the present invention will be described with reference to FIGS. FIG. 1 is a block diagram showing a hardware configuration of a model checking monitoring automaton generation device 1 according to the first embodiment of the present invention. The model check monitoring automaton generation device 1 according to the present embodiment is a model check information generation device, and generally includes requirements (required specifications for time) described in a plurality of sequence charts created in a design process. , Time declaration) is automatically generated as input information necessary for model checking to verify whether the prepared state transition design is satisfied.

  As shown in FIG. 1, a model checking monitoring automaton generator 1 is, for example, a personal computer or a workstation, and includes a CPU (Central Processing Unit) 2 that is a main part of the computer and controls each part centrally. Yes. The CPU 2 is connected by a bus 5 to a ROM (Read Only Memory) 3 which is a read-only memory storing BIOS and a RAM (Random Access Memory) 4 which stores various data in a rewritable manner.

  Further, the bus 5 has an HDD (Hard Disk Drive) 6 that stores various programs and the like, and a CD-ROM drive 8 that reads a CD (Compact Disc) -ROM 7 as a mechanism for reading computer software that is a distributed program. A communication control device 10 that controls communication between the model checking monitoring automaton generation device 1 and the network 9, an input device 11 such as a keyboard and a mouse that performs various operation instructions, and a CRT (Cathode Ray Tube) that displays various information. A display device 12 such as an LCD (Liquid Crystal Display) is connected via an I / O (not shown).

  Since the RAM 4 has the property of storing various data in a rewritable manner, it functions as a work area for the CPU 2 and functions as a buffer.

  A CD-ROM 7 shown in FIG. 1 implements the storage medium of the present invention, and stores an OS (Operating System) and various programs. The CPU 2 reads the program stored in the CD-ROM 7 with the CD-ROM drive 8 and installs it in the HDD 6.

  As the storage medium, not only the CD-ROM 7 but also various types of media such as semiconductor memory such as various optical disks such as DVD, various magnetic disks such as various magneto-optical disks and flexible disks, and the like can be used. Alternatively, the program may be downloaded from the network 9 such as the Internet via the communication control device 10 and installed in the HDD 6. In this case, the storage device storing the program in the server on the transmission side is also a storage medium of the present invention. Note that the program may operate on a predetermined OS (Operating System), and in that case, the OS may take over the execution of some of the various processes described later, It may be included as a part of a group of program files constituting the application software or OS.

  The CPU 2 that controls the operation of the entire system executes various processes based on a program loaded on the HDD 6 used as the main storage of the system.

  Next, among the functions that the various programs installed in the HDD 6 of the model checking monitoring automaton generation device 1 cause the CPU 2 to execute, the characteristic functions of the model checking monitoring automaton generation device 1 according to the present embodiment are provided. explain.

  FIG. 2 is a block diagram illustrating a functional configuration of the model checking monitoring automaton generation device 1. As shown in FIG. 2, the model checking monitoring automaton generating device 1 follows a model checking monitoring automaton generating program, and includes a transition extraction event inserting unit 21 that is a transition extraction event inserting unit and an observer (state transition diagram). The state transition diagram for monitoring the system behavior defined in (1)) is provided with an observer generating unit 22 which is an observer generating unit for generating 42, and a verification formula generating unit 23 which is a verification formula generating unit for generating a verification formula 43.

  The transition extraction event insertion unit 21 notifies a state transition history of each process to other processes from a state transition diagram 31 of a plurality of processes including time information and a plurality of sequence charts 32 including a time request. Is extracted and added to the state transition diagram 31 to generate a modified version state transition diagram 41. Here, the state transition diagram 31 is a state transition diagram used for the model checking tool “UPPAAL” that can be verified with respect to time constraints and performance. “UPPAAL” can describe a parallel operation model of an extended time automaton with general data such as logical variables and integer variables added to the time automaton. The model check function verifies the invariance and reachability of the behavior. A tool that can be done. “UPPAAL” has a feature that the description of the model is simple because the state transition model of the system can be drawn by GUI. The sequence chart 32 is a sequence chart based on UML profile for SPT (standard for real-time system design language) used for real-time system design.

  Based on the state transition diagram 31 and the individual sequence charts 32, the observer generation unit 22 newly generates a process observer 42 having a state transition that transitions to an error state when a mismatch occurs with the notification of the state transition history. .

  The verification formula generation unit 23 verifies that the individual observer process generated based on the individual sequence chart 32 is not shifted to an error state in any case, and the case where the final location of the observer process is reached A verification formula 43 is generated to verify that exists.

  First, the transition extraction event insertion unit 21 will be described in detail. Here, FIG. 3 is a flowchart showing the flow of the transition extraction event insertion process in the transition extraction event insertion unit 21. As shown in FIG. 3, when all locations in the state transition diagram 31 are not finished (No in step S1), and the location of interest appears in any sequence chart (Yes in step S2) After adding a broadcast communication channel declaration having the name of the location of interest as the name (step S3), the process proceeds to step S4 and ends for all the next locations of the location of interest. Judge whether or not.

  If not finished for all the next locations of the location of interest (No in step S4), the location of time 0 and the location of interest are displayed immediately before the next location of interest. A transition for performing transmission to the broadcast communication channel, which is one-to-many communication having the name, is inserted (step S5).

  If the next location of interest appears in any of the sequence charts (Yes in step S6), the broadcast communication having the name of the set of the location of interest and the next location of interest as the name A channel declaration is added (step S7), and a location where time has elapsed 0 and a transition for transmission to the broadcast communication channel are inserted immediately before the next location of interest (step S8). Return.

  If the next location of interest does not appear in any of the sequence charts (No in step S6), the process returns to step S4 as it is.

  The processes in steps S4 to S8 as described above are repeated until it is determined that all the subsequent locations of the location of interest are finished (Yes in step S4). If all the next locations of the location of interest have been completed (Yes in step S4), the process proceeds to step S9, and whether or not all of the previous locations of the location of interest have been completed. Determine whether.

  If all the previous locations of the location of interest have not been completed (No in step S9), the location of time 0 and the location of interest are displayed immediately before the next location of interest. A transition for transmitting to the broadcast communication channel in the name is inserted (step S10).

  If the focused previous location does not appear in any of the sequence charts (No in step S11), the broadcast communication having the name of the set of the focused previous location and the focused location as a name A channel declaration is added (step S12), and a transition that transmits to the broadcast communication channel is inserted in the transition from the previous location of interest immediately before the location of interest and the location where time has elapsed. (Step S13), the process returns to step S9.

  If the previous location of interest has appeared in any sequence chart (Yes in step S11), the process directly returns to step S9.

  The processes in steps S9 to S13 as described above are repeated until it is determined that all the previous locations of the location of interest are finished (Yes in step S9). If the process has been completed for all previous locations of the location of interest (Yes in step S9), the process returns to step S1.

  The processes in steps S1 to S13 as described above are repeated until it is determined that the process has been completed for all locations in all the state transition diagrams 31 (Yes in step S1).

  Here, FIG. 4 is a schematic diagram showing a state in which a transition extraction event is inserted. Here, an example of operation when a state transition diagram 31 and a sequence chart 32 as shown in FIG. 4 are input will be shown.

  By following the transition extraction event insertion processing in the transition extraction event insertion unit 21, as shown in FIG. 4, broadcast type communication named “A.0 to A.1” including the locations a0 and a1 with respect to the location a1. “Broadcast chan A.0 to A.1, A.0;” which is a definition declaration of the broadcast communication channel named “A.0” including the channel and a0 in the name is added. That is, for each transition in the state transition diagram 31 of each process, a broadcast communication channel having a name composed of an action name at the transition source location and an action name at the transition destination location is additionally defined, and the action name at the transition source location In addition, a broadcast communication channel having a name composed of the following is defined, and a transmission event to the transition channel is added to the transition. Thereby, it can grasp | ascertain how it is moving.

  Further, as shown in FIG. 4, a node with time lapse 0 is inserted “2” between locations a0 and a1, and a transition to receive channel “A.0 to A.1” and channel “A. A channel receiving “0” is inserted. Similarly, for the location a2, a broadcast communication channel named “A.1 to A.2” including the locations a1 and a2 and a broadcast communication channel named “A.1” including “a1” in the name are included. The definition declaration “broadcast chan A.1 to A.2, A.1;” is added. Further, “2” is inserted between the locations a1 and a2, and a node that receives channel “A.1 to A.2” and a channel that receives channel “A.1” are inserted. Inserted.

  Next, the observer generator 22 will be described in detail. Here, FIG. 5 is a flowchart showing the flow of the observer generation process in the observer generation unit 22, and FIG. 6 is a flowchart showing the flow of a part of the observer generation process. As shown in FIG. 5, the observer generation unit 22 generates “observer” by extracting only the sequence of the process of interest for all the processes included in the sequence chart 32 (No in step S21, step S22). ).

  The process in step S22 will be described in detail with reference to the flowchart shown in FIG. As shown in FIG. 6, first, the initial location and the fail location, the first location definition of the sequence chart, and the definition of a dedicated clock variable are added (step S31).

  Next, the process proceeds to step S32, and if not completed for all previous locations in the state transition diagram location corresponding to the first location in the sequence chart (No in step S32), between the initial location and the fail location In addition, a transition for receiving a channel having all the locations and the first pair as a name is added (step S33).

  Such processes in steps S32 to S33 are repeated until it is determined that all the previous locations in the location of the state transition diagram corresponding to the first location in the sequence chart have been completed (Yes in step S32). It is. When it is determined that all the previous locations of the location of the state transition diagram corresponding to the first location of the sequence chart are finished (Yes in step S32), the process proceeds to step S34, and all of the sequence charts Determine if it is finished for the location.

  Not finished for all locations in the sequence chart (No in step S34), the location of interest has a time requirement specification (Yes in step S35), and the next of all locations of interest If the location has not ended (No in step S36), a location with a time lapse of 0 is added, and a transition with the required specification as guard is added from the location of interest to the added location (step S37). ), Add a location with the name of the next location in the sequence chart, and receive the channel with the name of the target location and the next location from the added location with the elapsed time 0 to the next location. A transition that sets the variable to 0 is added (step S38). Return to step S36.

  Such processing in steps S36 to S38 is repeated until it is determined that the processing has been completed for all the next locations of the location of interest (Yes in step S36).

  If it is determined that the process has been completed for all the next locations of the location of interest (Yes in step S36), the location of time lapse 0 is added to the location of time 0 added from the location of interest. A transition with guard as not in the requirement specification is added (step S39), and the channel having the name of the target location and the next location is received from the location with the added time lapse 0 to the fail location. After adding the transition to variable 0 (step S40), the process proceeds to step S41, and it is determined whether or not the location of interest has a time performance declaration.

  If it is determined in step S35 described above that the location of interest does not have a time requirement specification (No in step S35), the process proceeds to step S41, and the location of interest has a time performance declaration. Determine whether or not.

  If it is determined that the location of interest has a time performance declaration (Yes in step S41) and the processing has not ended for all the next locations of the location of interest (No in step S42), the time A location with a passage of 0 is added, a transition with the required specification as guard is added from the noted location to the added location (step S43), and a location having the next location in the sequence chart as a name is added. A transition for receiving the location of interest and the channel having the name of the next location is added from the added location with the elapsed time 0 to the next location (step S44), and the process returns to step S42.

  Such processes of steps S42 to S44 are repeated until it is determined that the process has been completed for all the next locations of the location of interest (Yes in step S42).

  Then, when it is determined that all the next locations of the location of interest are finished (Yes in step S42), or when it is determined that the location of interest does not have a time performance declaration (No in step S41), the process proceeds to step S45, where it is determined whether the location of interest has neither a time requirement specification nor a time performance declaration.

  If it is determined that the location of interest does not have a time requirement specification or a time performance declaration (Yes in step S45), the location of the channel having the name of the location of interest and the next location is changed from the location of interest to the next location. A reception is performed, a transition for setting the dedicated clock variable to 0 is added (step S46), and the process returns to step S34. On the other hand, if it is determined that the location of interest has a time requirement specification or a time performance declaration (No in step S45), the process directly returns to step S34.

  The processes in steps S34 to S46 as described above are repeated until it is determined that the process has been completed for all locations in the sequence chart (Yes in step S34).

  If it is determined that the process has been completed for all locations in the sequence chart (Yes in step S34), the channel having the name of the target location is received from the location of interest to the init location. The transition to be performed is added (step S47), and the process in step S22 is terminated.

  Next, the verification formula generation unit 23 will be described in detail. Here, FIG. 7 is a flowchart showing a flow of verification formula generation processing in the verification formula generation unit 23. As illustrated in FIG. 7, the verification formula generation unit 23 does not end for all locations of all sequence charts (No in step S51), and when the target sequence chart includes the required specifications (step S52). Yes), a verification expression “A [] (not observer name corresponding to the sequence chart.Fail)” is added (step S53), and a verification expression “E <> (observer name corresponding to the sequence chart. Last) (Location name) ”is added (step S54), and the process returns to step S51. On the other hand, when the target sequence chart does not include the required specification (No in step S52), only the verification expression “E <> (observer name corresponding to the sequence chart. Last location name)” is added (step S54), the process returns to step S51.

  The processing in steps S51 to S54 as described above is repeated until the processing is completed for all locations in all sequence charts (Yes in step S51).

  Here, FIG. 8 is a schematic diagram showing observer generation (case of required specifications) and verification expression generation. Here, an example of operation when a sequence chart 32 as shown in FIG. 8 is input will be shown.

  In the input sequence chart 32, in the process named “Process A”, after receiving the channel named “ReqZeroToruque”, the action of the location “1” is performed, and the action is completed within 400 [ms]. Thus, it represents a transition to the next location after transmission to a channel named “ZeroToruque”. Here, the term “SAworstCase” is a term used in UML profile for SPT, which is a design language standard for a real-time system, and means a requirement specification for the maximum execution time of the action. When such a sequence chart 32 is input, the observer generator 22 generates an observer 42 as shown in FIG. 8 by following the observer generation process shown in FIGS. 5 and 6.

  That is, as shown in FIG. 8, the observer generation unit 22 receives, for two consecutive actions on the sequence chart 32, two locations constituted by each action name and a channel constituted by both action names. A state transition history notification is recognized by generating a transition between both locations.

  In addition, as shown in FIG. 8, the observer generation unit 22 makes the sequence chart 32 when the notified state transition history satisfies the required specification for each action having the required specification regarding the time included in the sequence chart 32. A transition that can transition to the next state is generated, and a transition that transitions to an error state is generated when the notified state transition history does not satisfy the required specification.

  Further, as shown in FIG. 8, the observer generation unit 22 receives a channel composed of the action name between the location composed of the action name and the initial location for the action on the sequence chart 32. To recognize that the state transition history is out of sequence.

  When such a sequence chart 32 is input, the verification formula generation unit 23 generates a verification formula 43 as shown in FIG. 8 by following the verification formula generation processing shown in FIG.

  Next, FIG. 9 is a schematic diagram showing observer generation (time declaration case) and verification expression generation. Here, an example of operation when a sequence chart 32 as shown in FIG. 9 is input will be shown.

  The input sequence chart 32 receives the channel named “ReqZeroToruque” in the process named “Process A”, and finishes the action of the location “1” at 300 [ms] or more and 320 [ms]. It represents a transition to the next location after transmission to a channel named “ZeroToruque”. The difference from the sequence chart 32 in FIG. 8 is that the time constraint for the action is described in terms of “SAduration”, which is a declaration for the execution time of the action, ie, some execution according to the sequence chart 32. In the example, this means that the action is performed in such time. When such a sequence chart 32 is input, the observer generation unit 22 follows the observer generation processing shown in FIGS. 5 and 6, so that the sequence chart 32 includes a required specification for time. Is generated.

  That is, as shown in FIG. 9, the observer generation unit 22 receives, for two consecutive actions on the sequence chart 32, two locations constituted by each action name and a channel constituted by both action names. A state transition history notification is recognized by generating a transition between both locations.

  In addition, as shown in FIG. 9, the observer generation unit 22 performs the next on the sequence only when the notified state transition history matches the declaration for each action having a declaration related to time included in the sequence chart 32. A transition that can transition to the state of is generated.

  Further, as shown in FIG. 9, the observer generation unit 22 receives a channel configured from the action name between the location configured from the action name and the initial location for the action on the sequence chart 32. To recognize that the state transition history is out of sequence.

  Further, when such a sequence chart 32 is input, the verification formula generation unit 23 follows the verification formula generation processing shown in FIG. 7, so that the sequence chart 32 does not include a required specification for time, as shown in FIG. 9. A valid verification expression 43 is generated.

  Next, a composite example in which the transition extraction event is inserted will be described. Here, it is assumed that a state transition diagram 31 as shown in FIG. 10 and two sequence charts 32 as shown in FIGS. 11A and 11B are input. The two sequence charts 32 shown in FIGS. 11A and 11B each include actions corresponding to a plurality of locations, and both include requirement specifications and time declarations for time.

  In the sequence chart 32 of FIG. 11A, the requirement specification that the action of the location 1 must be executed at a maximum of 400 [ms], and the action of the location 2 is executed at 300 [ms] to 350 [ms]. The time declaration is shown. Further, the sequence chart 32 of FIG. 11-2 shows a requirement specification that the action of the location 1 must be executed at a maximum of 300 [ms] and the time declaration that the action of the location 2 is executed at 200 [ms]. Indicates.

  FIG. 12 shows a modified state transition diagram which is an output result of transition extraction event insertion according to FIG. 3 for the input example as described above, and an observer generation result according to the observer generation processing shown in FIGS. 13-1 and FIG. 13-2, and FIG. 14 shows a verification formula generation result according to the verification formula generation process shown in FIG. As shown in FIG. 14, the verification expression generation unit 23 generates a verification expression 43 indicating that the error state location of each generated observer is not reached at any time on any execution path. A verification expression 43 indicating that there is an execution path that reaches the last location of each observer is generated.

  When the generated state transition 41, observer 42, and verification formula 43 are verified by the model checking tool “UPPAAL”, the result shown in FIG. 15 is obtained for each verification formula 43 shown in FIG. From now on, the action of the location 1 satisfies the required specification of 400 [ms] at the maximum in any operation shown in the sequence chart 32 of FIG. 11A, but the action of 300 [maximum] shown in the sequence chart 32 of FIG. ms] is not satisfied, and the operation at the time shown in the sequence chart 32 of FIG. 11-1 can occur, but the operation at the time shown in the sequence chart 32 of FIG. You can see that it can't happen. From these, it can be seen that the input state transition contradicts the sequence chart 32, and it is found that there is an error in design.

  As described above, according to the present embodiment, the designer does not create a verification formula necessary for model checking, and without affecting the original software model by using the broadcast communication channel, Information required for model checking to verify whether the requirements (time specification, time declaration) described in multiple sequence charts created in the actual design process are satisfied by the prepared state transition design Is automatically generated, so a designer who is not familiar with model checking can easily use the model checking tool.

[Second Embodiment]
Next, a second embodiment of the present invention will be described with reference to FIGS. The same parts as those in the first embodiment described above are denoted by the same reference numerals, and description thereof is also omitted.

  Here, FIG. 16 is a block diagram showing a functional configuration of the model checking monitoring automaton generation device 1 according to the second embodiment of the present invention. As shown in FIG. 16, in addition to the configuration described in the first embodiment, the model checking monitoring automaton generation device 1 according to the present embodiment includes an observer re-entry enabling unit at the subsequent stage of the observer generation unit 22. A certain observer reentry enabling section 24 is provided.

  The observer re-entry enabler 24 is generally for improving the observer 42 generated by the observer generator 22 to be more accurate when the same location appears in the sequence chart 32 multiple times. is there.

  Here, the observer reentry enabling unit 24 will be described in detail. Here, FIG. 17 is a flowchart showing the flow of the observer reentrancy enabling process in the observer reentrancy enabling unit 24. As shown in FIG. 17, when not finished for all locations of the observer 42 generated by the observer generation unit 22 (No in step S61), the process proceeds to step S62, and “from the next location of the init location” It is determined whether or not there exists a location such that the location column leading to itself has the same location name as the column immediately before the location of interest.

  If there is a location as described above (Yes in step S62), if a plurality of locations that meet the conditions are found, the location closest to the location of interest is selected (step S63), and the next location is found from the found location. Save the transition and location between locations with names (simple transitions or transitions with zero clearing of the guard and clock variables with respect to time-the location with time 0 and the location of the channel named 2 locations (Step S64), and the saved transition and location are added between the location of interest and the location having the next name (step S65), and the process proceeds to step S61. Return.

  On the other hand, when the location as described above does not exist (No in step S62), the process directly returns to step S61.

  Such processes in steps S61 to S65 are repeated until it is determined that the process has been completed for all locations of the observer 42 generated by the observer generation unit 22 (Yes in step S61).

  Here, FIG. 18 is a schematic diagram showing the observer reentrancy. Here, an operation example in the case where an observer 42 as shown in FIG. 18 is generated by the observer generation unit 22 and input to the observer reentry enabling unit 24 is shown.

  When the observer 42 shown in FIG. 18 is generated by the observer generator 22, the observer reentry enabler 24 having this as an input follows the observer reentrant enable process shown in FIG. 17 to change the observer 42 ′ shown in FIG. 18. Output. When the observer 42 shown in FIG. 18 monitors the action sequence “1 → 2 → 3 → 1 → 2 → 3 → 1 → 2 → 4”, at the time of “1 → 2 → 3 → 1 → 2 → 3”. Although it is assumed that the sequence chart is not to be monitored, according to the observer 42 ′ shown in FIG. 18, “1 → 2 → 3 → 1 → 2 → 4” corresponding to the latter half of the action sequence can be correctly monitored. become.

  As described above, according to the present embodiment, when the same location is included in the sequence chart 32 a plurality of times and the observer 42 recognizes the location as the current state, the state transition history with the location as the transition source Is notified, the location of the same name existing further forward in the sequence chart 32 can be recognized as the current state.

It is a block diagram which shows the hardware constitutions of the monitoring automaton production | generation apparatus for model checking concerning the 1st Embodiment of this invention. It is a block diagram which shows the function structure of the monitoring automaton production | generation apparatus for model checking. It is a flowchart which shows the flow of the transition extraction event insertion process in a transition extraction event insertion part. It is a schematic diagram which shows the state by which a transition extraction event is inserted. It is a flowchart which shows the flow of the observer production | generation process in an observer production | generation part. It is a flowchart which shows the flow of a part of observer generation process. It is a flowchart which shows the flow of the verification formula production | generation process in a verification formula production | generation part. It is a schematic diagram which shows observer production | generation (case of a requirement specification) and verification expression production | generation. It is a schematic diagram which shows observer generation (case of time declaration) and verification expression generation. It is a schematic diagram which shows an example of the input state transition diagram. It is a schematic diagram which shows an example of the input sequence chart. It is a schematic diagram which shows an example of the input sequence chart. It is a schematic diagram which shows an example of the corrected state transition diagram. It is a schematic diagram which shows an example of the produced | generated observer. It is a schematic diagram which shows an example of the produced | generated observer. It is a schematic diagram which shows an example of the produced | generated verification formula. It is a schematic diagram which shows an example of the verification result in model check tool "UPPAAL". It is a block diagram which shows the function structure of the monitoring automaton production | generation apparatus for model checking concerning the 2nd Embodiment of this invention. It is a flowchart which shows the flow of the observer reentry enabling process in an observer reentry enabling part. It is a schematic diagram which shows observer reentry enabling.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Model check information production | generation apparatus 21 Transition extraction event insertion means 22 Observer production | generation means 23 Verification formula production | generation means 24 Observer reentry enabling means

Claims (10)

Based on a state transition diagram of the real-time process including time information and a sequence chart including a time request that is a part of the behavior of the real-time process represented by the state transition diagram, a modified version state necessary for model checking of the real-time process An information generation apparatus for model checking that generates a transition diagram, an observer, and a verification expression,
Based on the state transition diagram of the real-time process and the sequence chart, a pair of names composed of an action name at the transition source location and an action name at the transition destination location for each transition of the state transition diagram of the real-time process In addition to defining a broadcast-type communication channel that is a multiplicity of communication, the transmission event to the broadcast-type communication channel is added to the state transition diagram as a process in the transition to generate the modified state transition diagram, Transition extraction event insertion means for enabling notification of a state transition history of a real-time process;
Based on the state transition diagram and the sequence chart, receiving the broadcast communication channel configured by a location corresponding to each action on the sequence chart and two consecutive action names on the sequence chart. Transitions between the locations corresponding to the two action names to be processed, and the observer whose state transitions corresponding to the state transition history of the real-time process notified via the broadcast communication channel An observer generating means for generating;
Verification expression generation means for generating the verification expression describing the property to be verified based on the process of the observer generated by the observer generation means;
A model checking information generating apparatus comprising: The transition extraction event insertion means additionally defines a broadcast communication channel having a name composed of an action name at a transition source location for each transition in the state transition diagram of the real-time process, and the broadcast communication channel Add a send event to as a process in the transition,
The model checking information generating device according to claim 1. The observer generated by the observer generation means has a state transition that transitions to an error state when a mismatch occurs.
The model checking information generating device according to claim 1. The observer generating means can transition to the next state on the sequence chart when the notified state transition history satisfies the required specifications for each action having the required specifications related to time included in the sequence chart. A transition is generated, and a transition to an error state is generated when the notified state transition history does not satisfy the required specification.
The model checking information generating device according to claim 1. The observer generating means, for each action having a time declaration included in the sequence chart, generates a transition that can transition to the next state on the sequence chart only when the notified state transition history matches the declaration. Generate,
The model checking information generating device according to claim 1. For the actions on the sequence chart, the observer generation means generates a transition for receiving a channel including the action name between a location including the action name and an initial location, thereby generating a state transition history. The observer transitions to the initial location when out of sequence.
The model checking information generating device according to claim 1. The verification expression generation means generates a verification expression indicating that the generated error state location of the observer is not reached at any time on any execution path.
The model checking information generating device according to claim 1. The verification formula generation means generates a verification formula indicating that there is an execution path that reaches the final location of the generated observer.
The model checking information generating device according to claim 1. When the same location is included in the sequence chart multiple times and the observer recognizes the location as the current state, the sequence chart is notified when a state transition history with the location as a transition source is notified. An observer re-entry enabling means characterized in that a location of the same name existing further forward in the inside can be recognized as a current state;
The information generating apparatus for model checking according to claim 6. Based on a state transition diagram of a real-time process including time information and a sequence chart including a time request that is a part of the real-time process represented by the state transition diagram, a modified version state transition diagram necessary for model checking of the real-time process A program for causing a computer to execute a process for generating an observer, an observer, and a verification expression,
Based on the state transition diagram of the real-time process and the sequence chart, a one-to-many name composed of an action name at the transition source location and an action name at the transition destination location for each transition of the state transition diagram of the real-time process A broadcast type communication channel that is a communication of the transmission channel, and a transmission event to the transition channel is added to the state transition diagram as a process in the transition to generate the modified state transition diagram, and each real-time process A transition extraction event insertion function that enables notification of the state transition history of
Based on the state transition diagram and the sequence chart, receiving the broadcast communication channel configured by a location corresponding to each action on the sequence chart and two consecutive action names on the sequence chart. The observer that transitions between the locations corresponding to the two action names to be processed and whose state transitions according to the state transition history of each real-time process notified via the broadcast communication channel An observer generation function for generating
A verification expression generation function for generating the verification expression describing the property to be verified based on the process of the observer generated by the observer generation function;
That causes the computer to execute the program.

Images