JP5396930B2 - Verification target function automatic selection device, verification target function automatic selection method, and verification target function automatic selection program - Google Patents

Description

  The present invention relates to a verification target function automatic selection device, and more particularly to a verification target function automatic selection device in a model checking method.

  As a method for verifying a source code described in a programming language such as C language by a model checking technique which is a method of formal verification, for example, “Information Processing 49 (5)” Formal method to C language As in the prior art described in “Application of Yoshiaki Miyazaki and Yusuke Hashimoto (Non-patent Document 1)”, several methods are conventionally known.

  Moreover, as a related technique, Japanese Patent Publication No. 2007-528059 (Patent Document 1) discloses a system and method for software modeling, abstraction, and analysis.

  This related technology is a technology for performing verification by converting source code into a model that can be model-checked in source code verification.

  However, in this related technology, no special processing is performed for the function to be modeled, and it is directly or indirectly called from the verification code specified by the user and the function that is the starting point of the verification target (called the entry function). All functions were added for verification. For this reason, it is not known that the verification result is not output because the time limit has expired until the verification result is output, and manual trial and error is necessary in selecting a function to avoid it. In addition, since the trial and error used a method that relied on intuition, there was a problem that it was not always possible to set as intended.

  In general, when building a model automatically from source code and performing verification by model checking, the number of generated model states becomes enormous and the amount of calculations becomes very large. Often does not end.

  For this reason, an upper limit of the verification time is set in advance, and a verification item for which a result cannot be obtained within that time is taken as a timeout and the verification is terminated.

  Also, in order to obtain as many verification results as possible, various optimizations are performed during the modeling process, and processing is performed to reduce the model within a range that does not affect the verification results. In this method, all the functions that are called directly or indirectly from the origin function specified by the user are added to the verification target, so if there are many target functions, the verification result can be output within the upper limit time. Often not.

  In such a case, among the functions that are directly or indirectly called from the origin function, a lot of time is spent on verifying some functions that have a large amount of calculation and cannot obtain a result within the time limit, and are relatively short. The verification of other functions that can be verified in time is also affected, and there is a problem that effective verification time is not allocated as a whole.

Special table 2007-528059 gazette

Information Processing 49 (5) “Application of Formal Methods to C Language” by Yoshiaki Miyazaki and Yusuke Hashimoto “Compiler II Principle / Technique / Tool” V. Aiho, R.A. Cessie, J. D. By Ullman National Institute of Advanced Industrial Science and Technology (AIST), System Verification Research Center, Technical Report “Survey of Verification Tools Using Abstraction” Yoshinori Tanabe, Toshinori Takai, Koichi Takahashi

  An object of the present invention is to provide an automatic verification target function selection device that automatically selects a function group having a high verification effect and then models it by reconstructing the verification target model before performing model checking. Is to provide.

The verification target function automatic selection device of the present invention reads a test specification and a test target code, performs a compiler optimization process on the test target code, and creates a control flow graph model based on the test specification Then, the control flow graph model is read, the function called from the entry function specified in the inspection specification is detected, the block number and evaluation value of the detected function are calculated, and based on the calculated block number and evaluation, A function to be added to the verification target is selected from the detected functions, and verification target function selection means for converting the control flow graph model based on the selected function is included.

Model checking control means reads the converted control flow graph model, with reference to symbolic model checking method using the computation tree logic to create a test model, the inspection model, symbolic model using computation tree logic The inspection is executed according to the inspection method, and the result of the executed inspection is output.

In the verification target function automatic selection method of the present invention, a test specification and a test target code are read, a compiler optimization process is performed on the test target code, and a control flow graph model is created based on the test specification. Next, referring to the control flow graph model, the function called from the entry function specified in the inspection specification is detected, the number of blocks and the evaluation value of the detected function are calculated, and based on the calculated number of blocks and evaluation Then, a function to be added to the verification target is selected from the detected functions, and the control flow graph model is converted based on the selected function. Next, with reference to the converted control flow graph model, with reference to symbolic model checking method using the computation tree logic to create a test model, the inspection model, symbolic model checking method using the computation tree logic The inspection is executed in accordance with, and the result of the executed inspection is output.

The verification target function automatic selection program of the present invention reads a test specification and a test target code, performs a compiler optimization process on the test target code, and creates a control flow graph model based on the test specification; Refers to the control flow graph model, detects the function called from the entry function specified in the inspection specification, calculates the block number and evaluation value of the detected function, and detects based on the calculated block number and evaluation The function to be added to the verification target is selected from the converted functions, and the step of converting the control flow graph model based on the selected function and the converted control flow graph model are referred to, and the calculation tree logic is Create an inspection model according to the symbol model inspection method used, and inspect the inspection model according to the symbol model inspection method using computational tree logic. And a program for causing a computer to execute a step of executing and outputting a result of the executed inspection.

  Prior to model checking, a model to be verified is reconstructed, so that a more effective verification result can be obtained within a given verification time.

It is a block diagram which shows the structural example of the verification object function automatic selection apparatus of this invention. It is a flowchart which shows operation | movement of the verification object function automatic selection apparatus of this invention. It is a figure which shows the example of the rule used for calculation of evaluation value (X, Y). It is a figure which shows the example of a 1st entry function. It is a figure which shows the example of the process result of a 1st entry function. It is a figure which shows the example of a 2nd entry function. It is a figure which shows the example of the process result of a 2nd entry function. It is a figure which shows the example of a 3rd entry function. It is a figure which shows the example of the process result of a 3rd entry function. It is a flowchart which shows operation | movement of a verification object function selection part. It is a figure which shows the example of the process result of the 1st entry function by a verification object function selection part. It is a figure which shows the example of the process result of the 2nd entry function by a verification object function selection part. It is a figure which shows the example of the process result of the 3rd entry function by a verification object function selection part.

<This embodiment>
Embodiments of the present invention will be described below with reference to the accompanying drawings.
As shown in FIG. 1, the verification target function automatic selection device of the present invention inputs an inspection specification 1 and an inspection target code (inspection target program) 2 and outputs an inspection result 3.

  The verification target function automatic selection device of the present invention includes a model checking control unit 10, a storage device 20, and a verification target function selection unit 30.

The model check control unit 10 includes a control flow graph model creation unit 11, a check model creation unit 12, a model check execution unit 13, and a check result output unit 14.

The storage device 20 includes a pre-conversion control flow graph model storage unit 21, a post-conversion control flow graph model storage unit 22, and an inspection model storage unit 23.

The verification target function selection unit 30 includes a call function detection unit 31, a function evaluation unit 32, a verification target function selection unit 33, and a control flow graph model conversion unit 34. The verification target function selection unit 30 is a characteristic component of this patent.

Control flow graph model creation unit 11 reads the inspection object code 2 and the inspection specification 1, the compiler optimization process of the prior art to create a control flow graph model after having carried out, before the conversion of the storage device 20 control flow graph model The data is output to the storage unit 21.

Here, the inspection specification 1 includes options indicating the name of the function (entry function) that is the starting point of the verification target, the verification upper limit time, the verification method, and the like. Furthermore, in the present invention, the inspection specification 1 includes the maximum number of blocks in the control flow graph representation of the model to be verified.

Test model creation unit 12 reads the control flow graph model from the converted control flow graph model storage unit 2 2 of the storage device 20 is a conventional computation tree logic (Computation Tree Logic: CTL) symbolic model checking method using The inspection model is created according to the above and is output to the inspection model storage unit 23 of the storage device 20.

The model checking execution unit 13 reads the checking model from the checking model storage unit 23 of the storage device 20, and executes checking in accordance with the symbol model checking method using the above-described conventional calculation tree logic .

Inspection result output unit 14 outputs the results of the examination of the model test execution unit 1 3 is executed as a test result 3.

The calling function detection unit 31 reads the control flow graph model held in the pre-conversion control flow graph model storage unit 21 of the storage device 20 and detects a function called from the entry function specified by the inspection specification 1.

  The function evaluation unit 32 calculates the number of blocks and the evaluation value of each function detected by the calling function detection unit 31.

  The verification target function selection unit 33 selects a function having a high evaluation value within the range of the maximum number of blocks specified in the inspection specification 1.

Control flow graph model conversion unit 34, the verification target function selecting section 33 is a control flow graph model from the selected function to convert the control flow graph model as constructed, transformed converted control flow of the control flow graph model The data is output to the graph model storage unit 22.

<Description of operation of this embodiment>
Next, the operation of this embodiment will be described in detail with reference to the flowchart of FIG.

(1) Step A1
First, the control flow graph model creation unit 11 refers to the inspection specification 1 and the inspection target code 2, performs compiler optimization processing on the inspection target code 2, and generates a control flow graph model based on the inspection specification 1. The control flow graph model is stored in the pre-conversion control flow graph model storage unit 21. The compiler optimization processing and control flow graph model creation processing are described in, for example, “" Compiler II Principle / Technique / Tool ”A.1. V. Aiho, R.A. Cessie, J. D. The conventional technique as described in “Ullman (Non-Patent Document 2)” is used.

(2) Step A2
Next, the calling function detector 31 function from the stored control flow graph model pre-conversion control flow graph model storage unit 21, are directly or indirectly called from the entry function specified in the inspection specification 1 Detect all.

(3) Step A3
Next, the function evaluation unit 32 calculates the number of blocks of the detected function and the evaluation value. Details will be described later.

(4) Step A4
Next, the verification target function selection unit 33 selects a function to be added to the verification target from the detected functions based on the calculated number of blocks and evaluation.

(5) Step A5
Then, the control flow graph model conversion unit 34 deletes the function other than the selected function from the control flow graph model, a control flow graph model remains as a function only the selected function, the converted control flow graph model Store in the storage unit 22.

(6) Step A6
Next, the test model creation unit 12 creates a test model from the control flow graph model stored in the converted control flow graph model storage unit 22 stores this test model the test model storage unit 23. The inspection model creation process is described in, for example, “National Institute of Advanced Industrial Science and Technology, System Verification Research Center, Technical Report“ Survey of Verification Tools Using Abstraction ”Yoshinori Tanabe, Toshinori Takai, Koichi Takahashi (Non-patent Document 3)”. This is done with conventional technology.

(7) Step A7
The model checking execution unit 13 reads the checking model stored in the checking model storage unit 23 and performs model checking.

(8) Step A8
Finally, the inspection result output unit 14 outputs the result of the model inspection as the inspection result 3.

Here, step A3 will be described in detail.
The function evaluation unit 32 calculates the number of blocks and the evaluation value of the detected function. At this time, the number of blocks of the function is the number of blocks in the control flow graph representation of the function.

  The function evaluation value is set as an index that can be ranked according to the presence or absence of reference to an arbitrary value and the influence of the lower function on improving the verification accuracy with respect to the upper function. Since this differs depending on the characteristics, an example will be described here.

  In this example, the evaluation value (X, Y) is assumed to be composed of two values “X” and “Y”.

  “X” is an evaluation value obtained when a function called from the function (referred to as a lower function) returns an arbitrary value. “Y” is an evaluation value obtained based on the evaluation value of the lower function.

  Therefore, when there is no lower function, “X” and “Y” have the same value. As a result, the evaluation value when the lower function is not selected as the verification target function can be regarded as “X”, and the evaluation value when the lower function is selected as the verification target function can be regarded as “Y”.

The rule of FIG. 3 is used for calculation of the evaluation values (X, Y).
FIG. 3 shows the following three rules.

(1) Rule 1: When the return value of a function is used in a higher-order function When an arbitrary value is included directly or indirectly in the return value calculation formula, 0 points are added (points are not added).
If an arbitrary value is not included directly or indirectly in the return value calculation formula, one point is added.

(2) Rule 2: When a function argument is passed by address If an arbitrary value is included directly or indirectly in a calculation expression assigned to the argument pointed to in the function, 0 points are added (add points) do not do).
If an arbitrary value is not included directly or indirectly in the calculation expression assigned to the destination indicated by the argument in the function, one point is added for each argument.

(3) Rule 3: When there is an assignment of a global variable of a function When an arbitrary value is indirectly included in the calculation formula to be assigned, 0 points are added (points are not added).
When an arbitrary value is not indirectly included in the calculation formula to be substituted, one point is added for each global variable.

  This rule is characterized in that one point is added for each address passing argument and global variable. The reason is that the greater the number of variables affected by the upper function, the greater the effect on verification.

  Next, the operation of the function evaluation unit 32 will be specifically described with reference to FIGS. 4 to 9.

  With reference to FIG. 4, rule 1, rule 2, and rule 3 in FIG. 3 will be described.

  In FIG. 4, “entry1” is an entry function. From “entry1”, “f1”, “f2”, and “f3” functions are called.

  Since the return value of “f1” is used in the upper function and does not include an arbitrary value directly or indirectly in the calculation formula of the return value, the evaluation value is “1” according to rule 1 in FIG. .

  Both of the address passing arguments of “f2” are assigned values in “f2”, and both of them are directly or indirectly in the calculation formula assigned to the destination indicated by the argument in “f2”. Does not include an arbitrary value, the evaluation value is “2” according to rule 2 in FIG.

  Further, in the case of “f3”, values are assigned to the three global variables, and the calculation value to be assigned does not include an arbitrary value directly or indirectly. Therefore, according to Rule 3 in FIG. “3”.

  Further, since “f1”, “f2”, and “f3” do not have lower functions, “X” and “Y” of the evaluation values (X, Y) are the same value.

  Therefore, the evaluation values of “f1”, “f2”, and “f3” are (1, 1), (2, 2), and (3, 3), respectively.

  This result is shown in FIG.

  In FIG. 5, ““ f1 ”(1,1): 18” means that the number of blocks of the function “f1” is “18” and the evaluation value is (1,1). Similarly, ““ f2 ”(2, 2): 28” means that the number of blocks of the function “f2” is “28” and the evaluation value is (2, 2). ““ F3 ”(3, 3): 38” means that the number of blocks of the function “f3” is “38” and the evaluation value is (3, 3). Although the number of blocks is not specifically shown in the example of FIG. 6, it is a value given as an example to explain the operation of the verification target function selection unit 33 described later.

  Next, the rule 1 in FIG. 3 will be described with reference to FIG.

  In FIG. 6, “entry2” is an entry function. From “entry2”, the functions “g1”, “g4”, and “g6” are called. The return values of the functions “g1”, “g4”, and “g6” are used in the upper functions “i”, “j”, and “k”.

  “G1”, “g2”, “g3”, and “g4” have lower functions. “G5” and “g6” have no lower function.

  Here, the lower function “undet” called from “g3” is a function not included in the verification target code 2. Therefore, the return value of “undet” is an arbitrary value. Since “g3” includes an arbitrary value indirectly in the calculation formula of the return value, the evaluation value is “0”. Similarly, since “g2” and “g1” each include an arbitrary value indirectly in the calculation formula of the return value, the evaluation value is “0”.

  On the other hand, since “g5” and “g6” do not include an arbitrary value directly or indirectly in the calculation formula of the return value, the evaluation value is “1”. Similarly, since “g4” does not indirectly include an arbitrary value in the calculation formula of the return value, the evaluation value is “1”.

  At this time, “X” of the evaluation value (X, Y) of “g3” is “0” because the lower function “undet” called from “g3” returns an arbitrary value. “Y” is “0” because the evaluation value of the lower function “undet” is “0”.

  “X” of the evaluation value (X, Y) of “g2” is “0” because the lower function “g3” called from “g2” returns an arbitrary value. “Y” is “0” because the evaluation value of the lower function “g3” is “0”.

  “X” of the evaluation value (X, Y) of “g1” is “0” because the lower function “g2” called from “g1” returns an arbitrary value. “Y” is “0” because the evaluation value of the lower function “g2” is “0”.

  Since “g5” and “g6” have no lower function, “X” and “Y” of the evaluation values (X, Y) are also “1”.

  “X” of the evaluation value (X, Y) of “g4” is “0” because the lower function “g5” called from “g4” is an arbitrary value when called from “g4”. “Y” is “1” because the evaluation value of the lower function “g5” is “1”.

  Therefore, the evaluation values of “g1”, “g2”, “g3”, “g4”, “g5”, “g6” are (0, 0), (0, 0), (0, 0), ( 0, 1), (1, 1), (1, 1).

  This result is shown in FIG.

  The number of blocks in FIG. 7 is a value given as an example, as in FIG.

  In FIG. 7, ““ g1 ”(0, 0): 18” means that the number of blocks of the function “g1” is “18” and the evaluation value is (0, 0). Similarly, ““ g2 ”(0, 0): 28” means that the number of blocks of the function “g2” is “28” and the evaluation value is (0, 0). ““ G3 ”(0,0): 18” means that the number of blocks of the function “g3” is “18” and the evaluation value is (0,0). ““ G4 ”(0, 1): 28” means that the number of blocks of the function “g4” is “28” and the evaluation value is (0, 1). ““ G5 ”(1,1): 18” means that the number of blocks of the function “g5” is “18” and the evaluation value is (1,1). ““ G6 ”(1, 1): 38” means that the number of blocks of the function “g6” is “38” and the evaluation value is (1, 1).

  Similarly, when “entry3” in FIG. 8 is an entry function, the evaluation value illustrated in FIG. 9 is obtained. Also in FIG. 9, the number of blocks is an example given for explaining the operation of the verification target function selection unit 33 described later.

  In FIG. 8, “entry3” is an entry function. From “entry3”, functions “h1”, “h4”, and “h6” are called.

  “H1”, “h2”, and “h4” have lower functions. “H3”, “h5”, and “h6” have no lower-order function

  Here, since “h3” has values assigned to two global variables, and the calculation formula to be assigned does not include an arbitrary value directly or indirectly, according to rule 3 in FIG. “2”. Since “h3” does not have a lower function, “X” and “Y” of the evaluation values (X, Y) are also “2”.

  “X” of the evaluation value (X, Y) of “h2” is “0” because the lower function “h3” called from “h2” is an arbitrary value when called from “h2”. “Y” is “2” because the evaluation value of the lower function “h3” is “2”.

  “X” of the evaluation value (X, Y) of “h1” is “0” because the lower function “h2” called from “h1” is an arbitrary value when called from “h1”. “Y” is “2” because the evaluation value of the lower function “h2” is “2”.

  Since “h5” and “h6” have values assigned to one global variable and do not include any arbitrary value directly or indirectly in the calculation formula to be assigned, the evaluation value is determined according to rule 3 in FIG. Each is “1”. Since “h5” and “h6” do not have lower functions, “X” and “Y” of the evaluation values (X, Y) are also “1”.

  “X” of the evaluation value (X, Y) of “h4” is “0” because the lower function “h5” called from “h4” is an arbitrary value when called from “h4”. “Y” is “1” because the evaluation value of the lower function “h5” is “1”.

  Therefore, the evaluation values of “h1”, “h2”, “h3”, “h4”, “h5”, “h6” are (0, 2), (0, 2), (2, 2), ( 0, 1), (1, 1), (1, 1).

  FIG. 9 shows the result.

  The number of blocks in FIG. 9 is a value given as an example, as in FIGS.

  In FIG. 9, ““ h1 ”(0, 2): 60” means that the number of blocks of the function “h1” is “60” and the evaluation value is (0, 2). Similarly, ““ h2 ”(0, 2): 28” means that the number of blocks of the function “h2” is “28” and the evaluation value is (0, 2). ““ H3 ”(2, 2): 18” means that the number of blocks of the function “h3” is “18” and the evaluation value is (2, 2). ““ H4 ”(0, 1): 28” means that the number of blocks of the function “h4” is “28” and the evaluation value is (0, 1). ““ H5 ”(1,1): 18” means that the number of blocks of the function “h5” is “18” and the evaluation value is (1,1). ““ H6 ”(1, 1): 38” means that the number of blocks of the function “h6” is “38” and the evaluation value is (1, 1).

<Description of Operation of Verification Target Function Selection Unit 33>
Next, referring to the flowchart of FIG. 10, the verification target function selection unit 33 uses the calculated number of function blocks and the evaluation value to select a function to be added to the verification target (in FIG. 2). Step A4) will be described in detail.

  That is, step A4 in FIG. 2 includes processing from steps A401 to A410 in the flowchart in FIG. With respect to these steps, similar to the index value of the function described above, it is necessary to apply different logic depending on the characteristics of the model check execution unit 13, and therefore a selection method is defined according to the characteristics. Here, with reference to FIGS. 5 and 11, FIGS. 7 and 12, and FIGS. 9 and 13, the operation of the verification target function selection unit 33 will be specifically described using an example of a selection method.

In the flowchart of FIG. 10, the determined mark is flag information set for each function model in the control flow graph , and the function model is inspected by attaching the determined mark in the process. This indicates that the determination whether or not to include the target has already been set.

<(A) Operation for the Example of FIGS. 5 and 11>
First, the operation of the verification target function selection unit 33 for the examples of FIGS. 5 and 11 will be described. In this example, it will be described that functions are selected in descending order of evaluation value, that is, the degree of influence on the upper function. Further, it is assumed that “70” is designated as the maximum number of blocks in the inspection specification 1.

(1) Step A401
The verification target function selection unit 33 selects a function group having the lowest calling hierarchy from the entry function among the functions not having the determined mark. At this stage, there is no function with a determined mark. The verification target function selection unit 33 selects “f1”, “f2”, and “f3” because the call layers from the entry functions are all the same.

(2) Step A402
The verification target function selection unit 33 checks whether there is a function candidate. That is, the verification target function selection unit 33 confirms whether there is a selected function group. Here, the selected “f1”, “f2”, and “f3” are function candidates. If there is no function candidate (selected function group), the verification target function selection unit 33 ends the process.

(3) Step A403
If there is a function candidate (selected function group), the verification target function selecting unit 33 selects an evaluation value (X, Y) of “X” among the selected function groups having the same calling hierarchy. Choose the function group with the largest. Here, the verification target function selection unit 33 selects “f3” because “f3” has the largest evaluation value “X” among the selected “f1”, “f2”, and “f3”.

(4) Step A404
Next, the verification target function selection unit 33 selects a function group having the highest evaluation value (X, Y) “Y” among the evaluation values (X, Y) of the same value. Choose.

(5) Step A405
Next, the verification target function selection unit 33 selects a function group having the smallest number of function blocks among the evaluation values (X, Y) having the same “Y” value.

(6) Step A406
Next, the verification target function selection unit 33 selects the leftmost function on the control flow graph model among the functions having the same number of blocks.

  In this example, since the function “f3” has been narrowed down to step A403, even if the steps A404 to A406 are applied, “f3” is selected.

(7) Step A407
Next, the verification target function selection unit 33 checks whether the value “Y” of the evaluation value (X, Y) of the selected function is not “0”. Here, since “Y” of the selected evaluation value (X, Y) of “f3” is not “0”, the process proceeds to the next processing (step A408).

(8) Step A408
Next, the verification target function selection unit 33 confirms whether the value obtained by adding the number of function blocks to the cumulative number of blocks does not exceed the maximum number of blocks given in the inspection specification 1. Here, the cumulative block number at this stage is “0”, and the value “38” obtained by adding the block number “38” of “f3” to this cumulative block number is the maximum block number “70” assumed in this example. ”Does not exceed, the process proceeds to the next process (step A409).

(9) Step A409
Next, the verification target function selection unit 33 adds the corresponding function to the verification target and puts a determination mark. In addition, the verification target function selection unit 33 adds the number of blocks of the corresponding function to the cumulative number of blocks. Here, the verification target function selection unit 33 adds “f3” that satisfies the conditions so far to the inspection target and puts a determined mark. The cumulative number of blocks is “38”. Thereafter, the process returns to the first process (step A401).

  The verification target function selection unit 33 again applies Steps A401 to A407 to “f1” and “f2” that are not marked at this stage, and selects “f2”. The flow of this process will be described in detail below.

(10) Step A401
The verification target function selection unit 33 selects a function group having the lowest calling hierarchy from the entry function among the functions not having the determined mark. At this stage, the verification target function selection unit 33 selects “f1” and “f2” because “f3” is already marked.

(11) Step A402
The verification target function selection unit 33 checks whether there is a function candidate. That is, the verification target function selection unit 33 confirms whether there is a selected function group. Here, the selected “f1” and “f2” are function candidates. If there is no function candidate (selected function group), the verification target function selection unit 33 ends the process.

(12) Step A403
If there is a function candidate (selected function group), the verification target function selecting unit 33 selects an evaluation value (X, Y) of “X” among the selected function groups having the same calling hierarchy. Choose the function group with the largest. Here, the verification target function selection unit 33 selects “f2” because “f2” has the largest evaluation value “X” among the selected “f1” and “f2”.

(13) Step A404
Next, the verification target function selection unit 33 selects a function group having the highest evaluation value (X, Y) “Y” among the evaluation values (X, Y) of the same value. Choose.

(14) Step A405
Next, the verification target function selection unit 33 selects a function group having the smallest number of function blocks among the evaluation values (X, Y) having the same “Y” value.

(15) Step A406
Next, the verification target function selection unit 33 selects the leftmost function on the control flow graph model among the functions having the same number of blocks.

  In this example, since the function “f2” is narrowed down to the step A403, even if the steps A404 to A406 are applied, “f2” is selected.

(16) Step A407
Next, the verification target function selection unit 33 checks whether the value “Y” of the evaluation value (X, Y) of the selected function is not “0”. Here, since “Y” of the evaluation value (X, Y) of the selected “f2” is not “0”, the process proceeds to the next process (step A408).

(17) Step A408
Next, the verification target function selection unit 33 confirms whether the value obtained by adding the number of function blocks to the cumulative number of blocks does not exceed the maximum number of blocks given in the inspection specification 1. Here, the cumulative number of blocks at this stage is “38”, and the value “66” obtained by adding the number of blocks “28” of “f2” does not exceed the maximum number of blocks “70” set in this example. Therefore, the process proceeds to the next process (step A409).

(18) Step A409
Next, the verification target function selection unit 33 adds the corresponding function to the verification target and puts a determination mark. In addition, the verification target function selection unit 33 adds the number of blocks of the corresponding function to the cumulative number of blocks. Here, the verification target function selection unit 33 adds “f2” that satisfies the above conditions to the inspection target, and puts a determined mark. The cumulative number of blocks is “66”. Thereafter, the process returns to the first process (step A401).

  The verification target function selection unit 33 again applies steps A401 to A407 to “f1” that is not marked at this stage. The flow of this process will be described in detail below.

(19) Step A401
The verification target function selection unit 33 selects a function group having the lowest calling hierarchy from the entry function among the functions not having the determined mark. At this stage, the verification target function selection unit 33 selects “f1” because “f2” and “f3” are already marked.

(20) Step A402
The verification target function selection unit 33 checks whether there is a function candidate. That is, the verification target function selection unit 33 confirms whether there is a selected function group. Here, the selected “f1” is a function candidate. If there is no function candidate (selected function group), the verification target function selection unit 33 ends the process.

(21) Step A403
If there is a function candidate (selected function group), the verification target function selecting unit 33 selects an evaluation value (X, Y) of “X” among the selected function groups having the same calling hierarchy. Choose the function group with the largest. Here, since the selected function is only “f1”, “f1” is selected.

(22) Step A404
Next, the verification target function selection unit 33 selects a function group having the highest evaluation value (X, Y) “Y” among the evaluation values (X, Y) of the same value. Choose.

(23) Step A405
Next, the verification target function selection unit 33 selects a function group having the smallest number of function blocks among the evaluation values (X, Y) having the same “Y” value.

(24) Step A406
Next, the verification target function selection unit 33 selects the leftmost function on the control flow graph model among the functions having the same number of blocks.

  In this example, since the function “f1” has been narrowed down at the stage of step A403, “f1” is selected even if steps A404 to A406 are applied.

(25) Step A407
Next, the verification target function selection unit 33 checks whether the value “Y” of the evaluation value (X, Y) of the selected function is not “0”. Here, since “Y” of the selected evaluation value (X, Y) of “f1” is not “0”, the process proceeds to the next process (step A408).

(26) Step A408
Next, the verification target function selection unit 33 confirms whether the value obtained by adding the number of function blocks to the cumulative number of blocks does not exceed the maximum number of blocks given in the inspection specification 1. Here, the cumulative number of blocks at this stage is “66”, and adding the number of blocks “18” of “f1” exceeds the assumed maximum number of blocks “70”, and therefore does not exceed the assumed maximum number of blocks. The process proceeds to processing different from the case (step A410).

(27) Step A410
Next, the verification target function selection unit 33 puts a determined mark on the corresponding function and the lower function. Here, the verification target function selection unit 33 puts a determined mark on “f1”. Thereafter, the process returns to the first process (step A401).

  The verification target function selection unit 33 applies Step A401 again, but since there is no function without a determined mark at this stage, the process of Step A4 ends.

  In this way, functions are selected in the order of “f3” and “f2”. The effect of “f3” on “entry1” is “three global variables”, the effect of “f2” on “entry1” is “two arguments passed by address”, and the ones with the highest influence are in order. It can be seen that is selected.

  This is illustrated in FIG. In FIG. 11, circled numbers indicate the order of selection, and asterisks indicate functions that were not selected. Others are the same as FIG.

  In FIG. 11, ““ f1 ”(1, 1): 18” means that the number of blocks of the function “f1” is “18” and the evaluation value is (1, 1). Similarly, ““ f2 ”(2, 2): 28” means that the number of blocks of the function “f2” is “28” and the evaluation value is (2, 2). ““ F3 ”(3, 3): 38” means that the number of blocks of the function “f3” is “38” and the evaluation value is (3, 3).

<(B) Operation for the example of FIGS. 7 and 12>
Next, the operation of the verification target function selection unit 33 for the examples of FIGS. 7 and 12 will be described. In this example, it will be described that a function including an arbitrary value in the calculation formula is not selected. In the inspection specification 1, “90” is designated as the maximum number of blocks.

  Similar to the processing for FIG. 5, by repeatedly applying steps A401 to A409 to FIG. 7, the verification is performed in the order of “g6” and “g4” from “g1”, “g4”, and “g6”. After that, if step A407 is applied to “g1”, since “Y” of the evaluation value (X, Y) of “g1” is “0”, “g1” is the verification target Not considered.

  Further, in step A410, “g1” and its subordinate functions “g2” and “g3” are similarly marked as determined without being regarded as verification targets. Thereafter, the process returns to step A401, and when “g5” is added to the verification target, the process of step A4 ends.

  In this way, functions are selected in the order of “g6”, “g4”, and “g5”. It can be seen that “g1”, “g2”, and “g3” including arbitrary values were not verified.

  This is illustrated in FIG. In FIG. 12, circled numbers indicate the order of selection, and stars indicate functions that are not selected. Others are the same as FIG.

  In FIG. 12, ““ g1 ”(0,0): 18” means that the number of blocks of the function “g1” is “18” and the evaluation value is (0,0). Similarly, ““ g2 ”(0, 0): 28” means that the number of blocks of the function “g2” is “28” and the evaluation value is (0, 0). ““ G3 ”(0,0): 18” means that the number of blocks of the function “g3” is “18” and the evaluation value is (0,0). ““ G4 ”(0, 1): 28” means that the number of blocks of the function “g4” is “28” and the evaluation value is (0, 1). ““ G5 ”(1,1): 18” means that the number of blocks of the function “g5” is “18” and the evaluation value is (1,1). ““ G6 ”(1, 1): 38” means that the number of blocks of the function “g6” is “38” and the evaluation value is (1, 1).

<(C) Operation for the Example of FIGS. 9 and 13>
Next, the operation of the verification target function selection unit 33 for the examples of FIGS. 9 and 13 will be described. In this example, it will be described that a function exceeding the maximum block number limit is not selected. In the inspection specification 1, “90” is designated as the maximum number of blocks.

  Also in this case, as in FIGS. 5 and 7, the series of processing of steps A401 to A409 is repeatedly applied to FIG.

  First, after “h6” is selected as the target function, “h1” is selected in step A404. In this case, when A408 is applied thereafter, the cumulative number of blocks at this stage is 38. Since the value obtained by adding the number of blocks “60” of “h1” exceeds the designated maximum number of blocks “90”, the value is not selected as a verification target.

  Further, in step A410, the determined mark is attached together with the lower functions “h2” and “h3”.

  After this, steps A401 to A409 are applied to the remaining “h4” and “h5”, but “h4” and “h5” do not exceed the maximum number of blocks, and are added to the verification target. Judgment mark is attached. At this point, there are no function candidates, and the process of step A4 ends.

  In this way, functions are selected in the order of “h6”, “h4”, and “h5”. Since “h1” exceeds the maximum block number limit, it is not a verification target.

  This is illustrated in FIG. In FIG. 13, circled numbers indicate the order of selection, and stars indicate functions that were not selected. Others are the same as FIG.

  In FIG. 13, ““ h1 ”(0, 2): 60” means that the number of blocks of the function “h1” is “60” and the evaluation value is (0, 2). Similarly, ““ h2 ”(0, 2): 28” means that the number of blocks of the function “h2” is “28” and the evaluation value is (0, 2). ““ H3 ”(2, 2): 18” means that the number of blocks of the function “h3” is “18” and the evaluation value is (2, 2). ““ H4 ”(0, 1): 28” means that the number of blocks of the function “h4” is “28” and the evaluation value is (0, 1). ““ H5 ”(1,1): 18” means that the number of blocks of the function “h5” is “18” and the evaluation value is (1,1). ““ H6 ”(1, 1): 38” means that the number of blocks of the function “h6” is “38” and the evaluation value is (1, 1).

  The effect of the present invention is that a more effective verification result can be obtained within a given verification time by reconstructing a model to be verified prior to model checking. The reason is that the function to be verified is selected from the functions to be modeled out of the functions to be called from the entry function by the verification target function selection means because there is a high possibility that the verification result cannot be obtained within the specified time due to the large number of model states. This is because more verification time can be allocated to verification of other functions that can be verified in a relatively short time.

  As described above, the present invention has a high verification effect by specifying the function that is the starting point of the verification target and the maximum number of blocks that can be verified in the processing system that verifies the source code using the model checking technique. The present invention relates to an apparatus and a method having a mechanism for automatically selecting a function.

  In the present invention, attention is focused on a variable that takes an arbitrary value or a return value of a function as the largest element that increases the number of states of the model.

  An arbitrary value means that it cannot be determined to take a specific value or a limited range of values under given conditions.

  In addition, for variables and functions that are regarded as arbitrary values, it is necessary to model them as possible values, so the amount of calculation in model checking becomes very large and within the upper limit time. The possibility that the verification result is not obtained is very high.

Furthermore, as another point of interest, an upper limit value of the number of blocks in the control flow graph model is considered. In general, there is a correlation between the total number of blocks constituting the control flow graph expression of the model to be verified and the verification time, and the verification time becomes longer as the number of blocks increases.

  In the present invention, a model that can obtain a more effective verification result within a given verification time by reconstructing the model to be verified using the above two elements before executing model checking. Output.

First, in a control flow graph model converted from a given source code, a series of function call flows including variables and function references that take arbitrary values are excluded from inspection targets.

  Furthermore, the rank of the higher-level function is evaluated based on how much context is given by the lower-level function, that is, how much higher-level function verification accuracy is improved by modeling the lower-level function. In addition, the functions are selected so that the total number of blocks of the model to be rebuilt falls within the upper limit specified in advance.

  Here, “context” means that a lower function assigns a value to a variable used by the upper function. There are three methods for substituting a value for a variable used by an upper function: using a return value, using an address passing argument, and using a global variable.

  Such a model reconstruction technique makes it possible to effectively use a given verification time and obtain more verification results.

  The verification target function automatic selection device of the present invention includes a test specification, a test target code, a test result, a model test control unit, a storage unit, and a verification target function selection unit.

  Here, the model checking control means is configured by conventional techniques such as a symbol model checking method using compiler optimization processing and calculation tree logic.

The model check control means includes a control flow graph model creation means, a check model creation means, a model check execution means, and a check result output means.

The storage means includes a pre-conversion control flow graph model storage means, a post-conversion control flow graph model storage means, and an inspection model storage means.

The verification target function selection unit includes a calling function detection unit, a function evaluation unit, a verification target function addition unit, and a control flow graph model conversion unit.

  INDUSTRIAL APPLICABILITY According to the present invention, the present invention can be applied to an application for enhancing the verification effect of source code verification using model checking.

  As mentioned above, although embodiment of this invention was explained in full detail, actually, it is not restricted to said embodiment, Even if there is a change of the range which does not deviate from the summary of this invention, it is included in this invention.

DESCRIPTION OF SYMBOLS 1 ... Inspection specification 2 ... Inspection object code 3 ... Inspection result 10 ... Model inspection control part 11 ... CFG model preparation part 12 ... Inspection model preparation part 13 ... Model inspection execution part 14 ... Inspection result output part 20 ... Storage device 21 ... Conversion Pre-CFG model storage unit 22 ... Post-conversion CFG model storage unit 23 ... Inspection model storage unit 30 ... Verification target function selection unit 31 ... Call function detection unit 32 ... Function evaluation unit 33 ... Verification target function selection unit 34 ... CFG model conversion unit

Claims (12)

Model inspection control means for reading the inspection specification and inspection target code, performing compiler optimization processing on the inspection target code, and creating a control flow graph model based on the inspection specification;
Read the control flow graph model, detect a function called from the entry function specified in the inspection specification, calculate the block number and evaluation value of the detected function, based on the calculated block number and evaluation Selecting a function to be added to the verification target from the detected functions, and a verification target function selection means for converting the control flow graph model based on the selected function,
The model check control means reads the converted control flow graph model, creates a check model in accordance with a symbol model check method using calculation tree logic, and applies the calculation tree logic to the check model. A verification function automatic selection device that executes a check in accordance with the symbol model check method used, and outputs a result of the executed check. The verification target function automatic selection device according to claim 1,
The model checking control means includes
A control flow graph model creating means for creating a control flow graph model based on the inspection specification after reading the inspection specification and the inspection target code, and performing a compiler optimization process on the inspection target code;
An inspection model creation means for reading the converted control flow graph model and creating an inspection model in accordance with a symbolic model inspection method using computational tree logic;
Model checking execution means for reading the checking model and executing checking in accordance with a symbolic model checking method using the calculation tree logic;
Verified function automatic selection device that includes a test result output means for outputting the results of the previous tests liver del test execution means has executed. The verification target function automatic selection device according to claim 1 or 2,
The verification target function selecting means includes:
A call function detection unit that reads the control flow graph model and detects all functions that are directly or indirectly called from the entry function specified by the inspection specification;
For each of the functions detected by the calling function detection means, function evaluation means for calculating the number of blocks of the function and an evaluation value;
A verification target function selection unit that selects a function having a high evaluation value within the range of the maximum number of blocks specified in the inspection specification;
A function other than the function selected by the verification target function selection unit is deleted from the control flow graph model, and the control flow graph model in which the selected function remains as a function is output as the converted control flow graph model And a control flow graph model conversion means for performing a verification target function automatic selection device. A control flow graph model creating means for creating a control flow graph model based on the inspection specification after reading the inspection specification and the inspection target code and performing compiler optimization processing on the inspection target code;
Call function detection means for reading the control flow graph model and detecting a function called from an entry function specified by the inspection specification;
For each of the functions detected by the calling function detection means, function evaluation means for calculating the number of blocks of the function and an evaluation value;
Verification target function selection means for selecting a function having a high evaluation value within the range of the maximum number of blocks specified in the inspection specification;
Control flow graph model conversion means for converting the control flow graph model and generating the converted control flow graph model based on the function selected by the verification target function selection means;
An inspection model creation means for reading the converted control flow graph model and creating an inspection model in accordance with a symbolic model inspection method using computational tree logic;
Model checking execution means for reading the checking model and executing checking in accordance with a symbolic model checking method using the calculation tree logic;
Verified function automatic selection device that includes a test result output means for outputting the results of the previous tests liver del test execution means has executed. After reading the inspection specification and inspection target code, and applying compiler optimization processing to the inspection target code, create a control flow graph model based on the inspection specification,
Referring to the control flow graph model, a function called from an entry function specified by the inspection specification is detected, the number of blocks and an evaluation value of the detected function are calculated, and the calculated number of blocks and evaluation are calculated. Based on the detected function, select a function to be added to the verification target, transform the control flow graph model based on the selected function,
Referencing the converted control flow graph model, creating a check model in accordance with a symbol model check method using calculation tree logic, and using the check tree model, a symbol model check method using the calculation tree logic A method for automatically selecting a function to be verified, which executes a test according to the above and outputs the result of the executed test. The verification target function automatic selection method according to claim 5,
Read the inspection specification and the inspection target code, and after performing compiler optimization processing on the inspection target code, create a control flow graph model based on the inspection specification,
Read the converted control flow graph model, create a check model according to the symbolic model check method using computational tree logic,
Read the inspection model, execute the inspection in accordance with the symbolic model inspection method using the calculation tree logic,
A verification target function automatic selection method for outputting a result of the executed inspection. It is a verification object function automatic selection method according to claim 5 or 6,
Read the control flow graph model, detect all functions that are called directly or indirectly from the entry function specified in the inspection specification,
For each of the detected functions, calculate the number of blocks and the evaluation value of the function,
Select a function with a high evaluation value within the range of the maximum number of blocks specified in the inspection specification,
Functions other than the selected function are deleted from the control flow graph model, and the control flow graph model in which the selected function remains as a function is output as the converted control flow graph model. Selection method. After reading the inspection specification and inspection target code, and applying compiler optimization processing to the inspection target code, create a control flow graph model based on the inspection specification,
Read the control flow graph model, detect a function called from the entry function specified in the inspection specification,
For each of the detected functions, calculate the number of blocks and the evaluation value of the function,
Select a function with a high evaluation value within the range of the maximum number of blocks specified in the inspection specification,
Transforming the control flow graph model based on the selected function to generate the transformed control flow graph model;
Read the converted control flow graph model, create a check model according to the symbolic model check method using computational tree logic,
Read the inspection model, execute the inspection in accordance with the symbolic model inspection method using the calculation tree logic,
A verification target function automatic selection method for outputting a result of the executed inspection. Reading the inspection specification and the inspection target code, performing compiler optimization processing on the inspection target code, and creating a control flow graph model based on the inspection specification;
Referring to the control flow graph model, a function called from an entry function specified by the inspection specification is detected, the number of blocks and an evaluation value of the detected function are calculated, and the calculated number of blocks and evaluation are calculated. Based on the detected function, selecting a function to be added to the verification target, and converting the control flow graph model based on the selected function;
Referencing the converted control flow graph model, creating a check model in accordance with a symbol model check method using calculation tree logic, and using the check tree model, a symbol model check method using the calculation tree logic A program for automatic selection of a function to be verified for causing a computer to execute a test in accordance with and to output a result of the executed test. It is a program for automatic verification object function selection according to claim 9,
Reading the inspection specification and the inspection target code, performing a compiler optimization process on the inspection target code, and creating a control flow graph model based on the inspection specification;
Reading the converted control flow graph model and creating a check model according to a symbolic model check method using computational tree logic;
Reading the check model and performing a check in accordance with a symbolic model check method using the computational tree logic;
A program for automatically selecting a verification target function for causing a computer to further execute the step of outputting the result of the executed inspection. A program for automatic verification target function selection according to claim 9 or 10,
Reading the control flow graph model and detecting all functions that are called directly or indirectly from the entry function specified in the inspection specification;
For each of the detected functions, calculating the number of blocks of the function and an evaluation value;
Selecting a function having a high evaluation value within the range of the maximum number of blocks specified in the inspection specification;
Deleting a function other than the selected function from the control flow graph model, and outputting the control flow graph model in which the selected function remains as a function as the converted control flow graph model; A program for automatic selection of functions to be verified to be executed by a computer. Reading the inspection specification and the inspection target code, performing compiler optimization processing on the inspection target code, and creating a control flow graph model based on the inspection specification;
Reading the control flow graph model and detecting a function called from an entry function specified by the inspection specification;
For each of the detected functions, calculating the number of blocks of the function and an evaluation value;
Selecting a function having a high evaluation value within the range of the maximum number of blocks specified in the inspection specification;
Converting the control flow graph model based on the selected function to generate the converted control flow graph model;
Reading the converted control flow graph model and creating a check model according to a symbolic model check method using computational tree logic;
Reading the check model and performing a check in accordance with a symbolic model check method using the computational tree logic;
A program for automatically selecting a verification target function for causing a computer to execute the step of outputting the result of the executed inspection.