JPH10228387A - Specification verification system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To reduce calculation volume required for judging whether a program synthesized from program components generates dead lock or not even when the program is used for parallel processing. SOLUTION: In Step 1-1, the expression of a process to be analyzed at its dead lock is inputted, and in Step 1-2, syntax analysis for the process expression is executed, the process is decomposed up to kernel processes while grouping the events as a shared event to prepare a block diagram of processes. In Step 1-3, 1-4, the state transition diagram of a synthetic process is prepared from the process block diagram in a bottom up state, and in Step 1-5, dead lock is judged based on the generated state transition diagram of the synthetic process.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

[0001] The present invention relates to a specification verification system.

[0002]

2. Description of the Related Art A description of the prior art is summarized in the attached commentary article (Journal of Information Processing Society of Japan Vol. 35 No.
8, pp. 736-741). The specification using the process algebra is a specification language of the process algebra for logically and strictly defining the parallel operation as shown in equation (1) of this article (in this example, CCS which is one of the process algebras) This is developed into a transition graph as shown in FIG. 2 and verification such as deadlock check is performed. This will be described by taking as an example the determination of the presence or absence of a deadlock when a system for supporting and monitoring the operation of a plant such as a nuclear power plant or a thermal power plant shown in FIG. Think in a broad sense, including). Here, deadlock means that the two subsystems are in a signal waiting state and do not operate.

As shown in FIG. 2, a plant operation support / monitoring system to be constructed receives a control signal from a plant, processes a sensor signal, and displays a man-machine interface including information such as operation instructions and sensor values on a man-machine interface. It sends data. Ultimately, the operator receives a sensor signal and a driving operation instruction from the man-machine interface. Here, the part excluding the man-machine interface is referred to as a plant operation support / monitoring system. Consider a case where a plant operation support / monitoring system is constructed by combining the following three program components. (1) Driving support and processing of processing a signal from a sensor and data of an operation instruction received from another program part as display data, sending the processed data to a man-machine interface, and sending a pre-processed sensor signal to another program part. Program part of monitoring information control unit.
(2) A driving condition determining component for determining a driving condition using a preprocessed sensor signal, and (3) a corresponding operation inference component for receiving a driving condition determination result and issuing a corresponding operation instruction. The specification of these three program parts is one of the most common description methods for describing a column processing system.
It is described by the following notation. These are shown in Equations 1, 2, and 3. These correspond to the components (1), (2) and (3), respectively. Equation 4 represents the program components (2) and (3)
Is a specification corresponding to the situation determination / corresponding operation determining unit created by combining the above. Equation 5 is a specification of the plant operation support / monitoring system which can be formed by combining the specification components (1), (2), and (3).

[0004] P = a->d->b->d->a->a->a-> P (Equation 1) Q = a->c-> Q (Equation 2) R = c- >B-> R (Equation 3) S = Q [{c}] R (Equation 4) T = P [{a, b}] S (Equation 5) Also used for Equations 1 to 5 And the "operation instruction" and "operation status judgment result" described in FIG.
FIG. 3 shows a correspondence relationship with an event indicating transmission / reception of data such as data. For example, the process P of Formula 1 indicates a process executed by the program component of the driving support / monitoring information control unit. However, for the sake of simplicity, it is assumed here that the transmission and reception of data and signals between the processes occur simultaneously and form a shared event.
The process P processes the signal received from the sensor to generate a preprocessed sensor signal (event a), generates display data (event d), receives an operation instruction (event b),
This is a program component that processes the content again to generate display data (event d), and then processes and generates the signal received from the sensor three times in succession (event a), and repeats this. Similarly, the program component of Equation 2 is a program component of the operation status determination unit, which receives the preprocessed sensor signal (event a), determines the operation status using the sensor signal, and transmits the operation status determination result (event c). ). This is a program component that repeats the above processing. Further, the program component of Equation 3 corresponds to a corresponding operation inference unit, receives a driving situation determination result (event c), executes inference based on the result, and transmits an operation instruction (event b). This is the process of repeating this. These specifications define the order in which events occur and do not touch on the content of the data. These three processes cannot be further decomposed and are called nuclear processes. On the other hand, the synthesis process is a process in which these nuclear processes are operated in parallel. For example, Equation 4
Is a process in which a nuclear process Q and a nuclear process R
Is a synthesis process that operates in parallel as a shared event. Here, a shared event is a process that must occur simultaneously in two processes. In our example, first,
When the event "a" occurs in the process Q and then the event "c" occurs, the event "c" also occurs in the process R at the same time. This synthesis process S is a process representing the operation of the situation determination / correspondence operation unit of FIG. 2, and when a preprocessed sensor signal is received, the driving situation is determined,
It is a subsystem that determines and outputs an operation instruction based on the instruction. On the other hand, Equation 5 is a synthesis process T intended to realize the entire driving assistance / monitoring system of FIG. 2 by synthesizing the program parts of Equations 1 to 3, and (a) generating a preprocessed sensor signal. (Event "a"), the data is processed and (2) transmitted as display signal data (event "d"). On the other hand, the operation status is determined from the signal to determine a corresponding operation (event "b"). "), The corresponding operation is processed for display and output (event" d "), and then a preprocessed signal is generated three times (event" a "). This is a process of repeating the above processing.

In order to check whether a control program created only by a combination of parts can control the entire system as desired, conventionally, a state transition diagram of individual parts is synthesized bottom-up. This has been done by creating an overall state transition diagram. For example, the absence of deadlock is an important requirement in system design. To explain the conventional deadlock analysis method,
A conventional method for determining whether or not the process T represented by Equation 5 deadlocks will be described. FIG. 4 shows a schematic processing procedure for determining a deadlock. In the figure
In Step 3-1, an expression from Expression 1 to Expression 5 is input by a normal lexical analysis technique, and it is specified that the process to be analyzed for deadlock is the process T (Expression 5). It then parses the input expression and breaks it down into nuclear processes. Decomposing into a top-down means that if wrestling is synthesized from two processes by the already-described parallel connection operator [｛...｝] or the like, it is decomposed into individual processes. Also, the nuclear process is
It refers to a process that cannot be further decomposed in this way. Such a decomposition is also possible by ordinary parsing techniques. FIG. 5 shows a structural diagram of a process resulting from the decomposition. The structure diagram of the process has a tree structure, and the leaves corresponding to the leaves are core processes. In this case, processes P, Q,
R corresponds to that. Described in the tree node in the figure is a synthesis process synthesized from the subtree. Since such a tree-structured data structure can be realized by a general high-level language such as C or Lisp, the following description is limited to the description at the tree structure level. Next, a state transition diagram of the nuclear process is created in Step 3-3. FIG. 6 shows a state transition diagram of each of the nuclear processes P, Q, and R. Appropriate names (P1, P2,..., Etc.) are given to distinguish the states in the state transition diagram. The state where the arrow without the state of the starting point is the destination is the initial state. The initial states of the processes P, Q, and R are P0, Q0, and R0, respectively. Further, a character string written above the arrow indicates that an event of the character string occurs and the state changes. For example, in the nuclear process P, after the initial state P0, the event a is generated and the state becomes the state P1. A data structure and operation equivalent to such a state transition diagram can be easily realized in a general high-level language. Next, Step 3-4
Then, a state transition diagram of each nuclear process is sequentially created from the bottom up based on the composite diagram of the process. FIG. 7 shows a procedure for creating a state transition diagram of the synthesis process. This will be described with reference to an example in FIG. 5 in which a composite process Q [{c}] R in which a common event is c is created from the nuclear processes Q and R. FIG. 8 is a state transition diagram of the synthesis result. First, Step6
In the case of -1, the initial state set of the synthesis source process is set as the initial state in the synthesis process. This corresponds to the state (Q0, R0) at the left end in FIG. This state is placed at the head of the state queue in Step 6-2, taken out in the next Step 6-3, and set as (Qt, Rt) = (Q0, R0). Next, in Step 6-4, the transition other than the common event c from Q0 is a
The transition (a, ε) generates a new state (Q1, R0). Here, ε indicates that no event occurs, and for R0, it indicates that the original state R0 is maintained regardless of the occurrence of a. The event that causes the transition is a set of events as described above, and this is also regarded as a transition caused by the event a. Depending on the structure of the process, the set of events can be as deep as possible. This is the only transition other than the common event c from Q0, and this state is added to the queue. On the other hand, there is no transition other than the shared event c from the process R0. Next, Step 6
At 5, it is checked whether the transition by the shared event c is common to Q0 and R0, and there is a transition from R0, but no transition from Q0. Therefore, there is no state newly added in Step 6-6. Further, since the transition by (a, ε) has already been found, the state (Q0, R0) is not a deadlock state. Next, looking at the queue in Step 6-7, (Q1, R0) is at the head. Therefore, Step 6-4
Then, this (Q1, R0) is taken out of the queue and Step 6
-4, the transitions other than the shared event are state Q1, R
Since it is not 0, no transition occurs. Next, when Step 6-5 is executed, Q1 changes to the state Q0 due to the shared event c, and R
Since the state of 0 transitions to R1, the transition to the new state (Q0, R1) due to the event (c, c) is written in the state transition diagram, and (Q0, R1) is added to the state queue. Next, even if Step 6-6 is executed, (Q0, R1) is not in a deadlock state because a transition from (Q0, R1) has already been found. Next, when Step 6-7 is executed, there is a newly created state (Q0, R1) in the state queue. Then, in Step 6-3, the state (Q0, R1) is extracted. Next, in Step 6-4, when a transition other than the shared event from Q0 is found, a transition by a can be made. Therefore, the state (Q1, R1) generated by this event (a, ε) is not yet in the state transition diagram, and is added to the state queue. On the other hand, as a state transition other than the shared event from R1, there is a state transition system by b. Since the state (Q0, R0) generated by the state transition due to this event (ε, b) already exists in the state transition diagram, it is only necessary to write an arrow in the state transition diagram. In Step 6-5, no transition due to the shared event is found. No deadlock occurs because the transition destination has already been found.

At this stage, if the determination in Step 6-7 is made, the queue is not empty because there is a newly created state (Q1, R1). Then, the state (Q1, R1) is extracted in Step 6-3. Next, in Step 6-4, there is no transition other than the shared event from Q1, but there is a transition due to the non-shared event b from R1. However, since the state (Q1, R0) generated by (ε, b) is already in the state transition diagram, it is only necessary to attach an arrow. Next, in Step 6-5, there is no transition due to the shared event. Since the transition from the state (Q1, R1) has already been found in Step 6-6, it is not a deadlock state. Next, in Step 6-7, since the state queue is empty, the generation of the synthesis process ends.

Similarly, process P and process Q
[{C}] FIG. 9 shows the result of creating a state transition diagram of the synthesis process in which a and b of R are shared events. Now, FIG.
The state transition diagram of the process that is the target of Step 3-4 is completed. In the state transition diagram, the state marked with * (P6,
(Q1, R1)) is a deadlock state in which transition to the next state is not possible. Next, in Step 3-5, it is determined whether or not there is a deadlock state in the state transition diagram. In this case, since there is a deadlock state in the state transition diagram, it is determined that deadlock exists.

[0008]

In the prior art, as the number of events that occur increases, the number of states in the finally formed state transition diagram exponentially increases. The amount of calculation required to create a state transition diagram also increases exponentially. For this reason, it was difficult to determine deadlock due to a large-scale problem. Also,
When a person confirms the verification result, there is a problem that it is difficult to confirm the state transition diagram because the number of states is too large. Due to such a problem, in the conventional technology, specification parts are specified in advance as input / output variables, other variables are prevented from appearing in the specification as internal variables, and the operation of the parts itself is based on the timing and value of the input / output variables. As a result, it was necessary to make a more abstract description. As a result, the amount of calculation in verification when combining components is reduced.
For example, if the input / output variables are limited to only a and b in Equation 1, the abstracted specification part is a process P '= a->b->a->a-> a- > P ', which makes verification simpler.
However, in this conventional method, the range in which the specification component can be used is limited.

SUMMARY OF THE INVENTION An object of the present invention is to describe the operation of specification parts without distinguishing between input / output variables and internal variables, thereby facilitating the selection of specification parts, reducing the amount of calculation required for deadlock, and verifying verification results. Is to make it easier for a human to confirm.

[0010]

SUMMARY OF THE INVENTION The object of the present invention is to provide a processing means for grouping non-shared events by a shared event that occurs immediately before creating a process structural diagram, and to group the grouped events into one shared event. This is achieved by processing means for creating a state transition diagram and checking for deadlock.

[0011]

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS One embodiment of the present invention will be described below with reference to FIG. Process P [{a, b}] (Q
[{C}] A case where the deadlock of R) is determined will be described as an example. FIG. 1 shows a procedure for determining the deadlock of a process according to the procedure of the present invention, and corresponds to FIG. 4 showing a method according to the prior art. Since the verification by this method is premised, the specification parts to be prepared can be described in advance by the process algebra CSP without distinction between the input / output variables and the internal variables as shown in Expressions 1 to 3. In Step 1-1, the expression to be analyzed for the deadlock (in this case, P [{a, b}] (Q [{c}]
R)) is input.

Next, the process expression inputted in Step 1-2 is parsed, and the processes are decomposed into processes while grouping the events into shared events. FIG. 10 shows a syntax tree generated as a result of this syntax analysis. The procedure is as follows. First,
The list L storing the shared events is initialized to an empty list.
Next, the original process is called process P and process (Q
[{C}] R). At that time, the shared events “a” and “b” are added to the shared event list L. As a result, L
= [“A”, “b”]. Next, it is determined whether each decomposed process is a nuclear process. Since the process P is a nuclear process, it is rewritten as a process grouped by a shared event. As a result, the process P becomes P = a->
From b->a->d-> P, P = a (P1)-> b (P1)
−> A (P2) → P. Here, a (P
1) Indicates that this is the first event group in the process P of the shared event a. The event list [a] is associated with a (P1). Similarly, b (P1) indicates the second event group in the process P of the shared event b, and associates the event list [b]. a (P2) indicates the second event group in the process P of the shared event a, and a (P2) is associated with the event list [a, d]. On the other hand, since the process Q [{c}] R is not a nuclear process, it is further decomposed. First, the shared event “c” of this synthesis process is added to the list L of shared events, and as a result L = [“c”, “a”, “b”]. Since the decomposed processes Q and R are core processes, they are rewritten in the same way as for P. As a result, Q = a (Q1) −
> C (Q1)-> Q, R = c (R1)-> b (R2)-> R. Next, in Step 1-3, a state transition diagram of the core process in the syntax tree of the process is created. This method is the same as the conventional example, and is as shown in FIG. Next, the state transition diagram of the original process is created by combining the state transition diagram of the core process in the process structure diagram of FIG. At this time, events belonging to the same shared event group are regarded as the same event. First process Q
A synthesis process Q [{c}] R is created from the core process of process R and the core process of process R. This synthesizing method is the same as the conventional method, except that the variable c (R1) and the variable c (Q1)
Are regarded as the same shared event. as a result,
The state transition diagram is as shown in FIG. Similarly, a state transition diagram of the process P [{a, b}] is created from the state transition diagram of the process P and the state transition diagram of the process Q [{c}] R, as shown in FIG. ', (Q1', R
It can be seen that deadlock occurs when 1 ')) is reached. Considering the situation in the original nuclear process,
Deadlock state (P
6, (Q1, R1)). If the overhead of rewriting variables is ignored, the amount of calculation required for the deadlock determination process is considered to be substantially proportional to the number of arrows indicating states and transitions in the state transition diagram. In the state transition diagram of the conventional method, the number of states is 9 and the number of arrows is 9 including the arrow to the initial state. On the other hand, the state transition diagram 1 according to the present invention
In the case of 3, it can be seen that the number of states is 7 and the number of arrows is also 7, and the calculation amount is reduced. FIG. 9 is a diagram for explaining the occurrence of deadlock to a user according to the conventional method, and FIG.
It looks like 3.

[0013] These descriptions are based on an arithmetic processing unit having a CPU and a memory for verification and a display program for display programmed on the arithmetic processing unit by the apparatus configuration shown in FIG. It can be displayed by a display device connected to the device, and the display of the present invention with a simple state transition diagram is easier to understand.

[0014]

According to the present invention, it is possible to reduce the amount of calculation required for verifying a deadlock and to display the verification result in an easy-to-understand manner for a user. Further, the user can prepare the parts to be stocked in a form in which the input / output variables and the internal variables are described without distinction.

[Brief description of the drawings]

FIG. 1 is a flowchart of a deadlock according to the present invention.

FIG. 2 is a block diagram of a driving support / monitoring system.

FIG. 3 is an explanatory diagram of a correspondence between a process name and processing contents.

FIG. 4 is a flowchart of a schematic process for determining a deadlock.

FIG. 5 is an explanatory diagram of a structure of a process.

FIG. 6 is an explanatory diagram of state transitions of nuclear processes P, Q, and R.

FIG. 7 is a flowchart for creating a state transition diagram of the synthesis process.

FIG. 8 is an explanatory diagram of a state transition of the synthesis process Q [{c}] R.

FIG. 9 shows a synthesis process P [{a, b}] (Q [{c}]
Explanatory drawing of the state transition of R).

FIG. 10 is an explanatory diagram of a process structure according to the present invention.

FIG. 11 is an explanatory diagram of a state transition of the nuclear processes P, Q, and R according to the present invention.

FIG. 12 is an explanatory diagram of a state transition of the synthesis process Q [{c}] R according to the present invention.

FIG. 13 is a timing chart showing a method according to an embodiment of the present invention.

FIG. 14 is an explanatory diagram of a device of a driving / support system.

[Explanation of symbols]

Step1-1: Input of deadlock analysis target process, St
ep1-3: Create a state transition diagram of the nuclear process.

Claims (4)

[Claims] 1. A specification verification system for verifying whether or not a deadlock phenomenon that may occur when a plurality of systems operate in parallel and the systems are in a signal waiting state and do not operate. Based on the shared event, which is a common process / operation shared by the multiple systems, the events occurring in the processes in which the multiple systems operate are grouped together into a shared event that occurred immediately before in the operation sequence of the system. A specification verification method, wherein an event is regarded as one event named by a shared event representing a group, and a determination is made as to whether or not there is a deadlock. 2. A specification verification system for verifying the possibility of a deadlock phenomenon which may occur when a plurality of systems operate in parallel and which cannot operate due to a signal waiting state between the systems. Based on the shared event, which is a common process / operation shared by the multiple systems, the events occurring in the processes in which the multiple systems operate are grouped together into a shared event that occurred immediately before in the operation sequence of the system. Assuming that an event is a single event named by a shared event that represents the group, label the transitions in the state transition diagram with a shared event that represents the group of events as a state transition diagram to explain the verification results A specification verification method characterized by using the following. 3. In a design support system for constructing a system in which a plurality of systems operate in parallel by combining specification parts prepared in advance, the behavior of the prepared parts can be described without distinction between input / output variables and internal variables. A specification verification method that can perform deadlock verification. 4. In a design support system for constructing a system in which a plurality of systems operate in parallel by combining previously prepared specification parts, the behavior of the prepared parts is described without distinction between input / output variables and internal variables, A specification verification method characterized by performing lock verification.