JPS61191145A - Protocol logic verification system including infinite overflow detection - Google Patents

Abstract

PURPOSE:To attain logical verification even to a part of a protocol as well whose signal number is infinite by discriminating it as infinite overflow when the system state having the increase signal series of the signal state of the same channel appears so as to stop an extension. CONSTITUTION:A block 8 detects the state that the number of signals stored on a channel between processes is infinite, that is infinite overflow. The L value of state 0.1 of the process 1 is 1.0 and an unprocessed signal series of channels 1.2 are 1.0, 2.0. The L value of the state 0.9 of the process 1 is 1.5 and the unprocessed signals series of the channel 1.2 are 1.3, 2.3, 1.4, 2.4, 1.5, 2.4. Thus, after 0.9, the state transition series is repeated and the signal 1.2 is stored, then it is discriminated as the infinite overflow. Similarly, the state 0.7 of the process 2 is marked by the type 3. Thus, acyclic state extension to the protocol is stopped.

Description

DETAILED DESCRIPTION OF THE INVENTION (Field of Industrial Application) The present invention is a protocol that inputs communication protocol specifications, detects internal contradictions contained therein as specification errors, and outputs data for correcting specification errors. Concerning logical verification methods.

(Prior art) As information and communication systems have become more sophisticated and diversified in recent years, the software used to implement those systems has become larger and more complex. For this reason, improving the productivity of such large-scale software is becoming increasingly important.
This has become a serious issue. The solution is to use software
The success or failure of requirements analysis and verification at the specification design stage of the life cycle holds an important key for the reasons described below.

When analyzing informal software requirements and converting them into formal software specifications, the software specifications are created by dividing them into several modules so that existing modules can be reused. , if you combine these to achieve the desired behavior as a whole, you can modify the existing specifications. - Efficient specification by combining modules and high quality because the internals of existing specification modules have been verified.

By the way, in such a specification design method,
- Verification of interoperability between modules is essential. As a result, it is possible to efficiently create correct software specifications. Furthermore,
By verifying and maintaining the software specifications designed in this way, logical errors can be detected early, and specifications can be added and
If changes are made, there is no need to make them at the program development stage, and feedback from the program development stage to the specification design stage of the software life cycle can be eliminated, which can improve software productivity.

Protocol logic verification verifies properties that should be commonly observed in many protocols, and detects logical errors such as push-buttons related to the basic procedures of sending and receiving messages.

Since this application relates to a method of performing logic verification by expanding each process in an azaicrinok shape, the patent application No. 59-271938
The prior art of this issue will be explained using FIG. 11 and FIG. 2. Figure 1 shows an example of the protocol to be verified, with process 1
2 is a diagram illustrating the protocol specifications of a communication system consisting of Here, the communication system may be, for example, a system in which processes 1 and 2 are a terminal device and a switch, or both may be located within one CPU.

That is, a processing unit that performs transmission and reception of signals (or only transmission or reception) with other functions is called a process.

FIG. 1 is an example of a protocol when the number of processes is two.

In FIG. 1, circles represent process states, arrows represent state transitions, and labels -X and +X on the arrows represent transmission and reception of signal X, respectively. The initial state of each process is O.

It can be seen that process 1 is operating with O as its initial state, and when it sends signal 1 to process 2 it transitions to state I, and when it receives signal 3 from process 2 it transitions to state 2. In this way, although the operation of each process can be understood relatively easily, it is not easy to determine whether there is a logical contradiction between processes 1 and 2.

In the conventional technique of protocol logic verification, for a protocol in which the number of signals that can be accumulated on a channel between processes is limited, each process is The state transitions were developed in an acyclic manner, and in the process, logical contradictions, that is, specification errors were detected. FIG. 2 shows the result of applying this conventional technique to the protocol example of FIG. 1. Since FIG. 2 is an expanded view of the state transitions of each process, it is called a state transition expanded diagram. In addition, the system state is understood as i, which is the state of a process plus the state of other processes that must be reached in order to reach that state.

Hereinafter, a method of drawing a state transition development diagram for the protocol example of FIG. 1 and a method of calculating the L value of each state will be explained. For convenience of description, the state names and signal names when expanded are the same as those in the protocol example, but in order to distinguish between state names and signal names that appear more than once, When O appears for the 12th time 1. When it appears for the 3rd time 2.
...Totsugeru.

First, since the initial state of each process is 0, draw C for each process and calculate the L value of 0 as (o, o,
O, o). For example, in the L value (o, o, 0.0) of state 0 of process l, the first element 00 indicates that the process state of process 1 itself is O, and the second element OO indicates the state of process 2. This shows that process 1 knows that is O. The send transitions that can be executed at this point are -1 for process 1 and -1 for process 2.
It is 3. Draw an arrow with labels -1, 0 and a circle for the execution of send transition -1 of process 1. Since process 1 does not know about the change in the state of process 2 by sending -1, the L value of process 1's state 1.0 is set to (1, 0, 0, 0).
shall be. The first element 1.0 indicates that the state of process 1 itself is 1. Since the state of process l is recognized as O in state 0 of process 2, the execution of process 1's sending transition -1 causes process 2 to receive signal ■ receiving transition +
It can be determined that there should be 1.

Therefore, try to draw an arrow with label +1. but,
In the protocol example of FIG. 1, since reception transition +1 is not defined in state O of process 2, it is determined that it is an undefined executable transition. To represent this, for convenience, draw a dotted arrow with label +1. Draw an arrow with label -30 and a circle for execution of send transition -3 of process 2. Since process 2 does not know the change in the state transition of process l by sending -3,0, the L value of state 10 of process 2 is changed to (0, 0,
1,0). The second element 10 indicates that the state of process 2 itself is 1. Transmission transition of process 2 -
In response to step 3, process l's receive transition +3 is executed. Draw an arrow with the label +3 and a circle for this execution (.+3
By receiving , process 1 can know that the state of process 2 is 1.0, so process 1's state 2
The L value of 0 is (2,0.

1.0). The first element 2.0 indicates that the state of process l itself is 2.0. At this time, in each state 2.0.1.0 of process 1.2, there remains a signal on the channel and there are no viable transmit and receive transitions. This state is determined to be a deadlock.

Send transition from process state OO to 1.0 - 3,0
On the other hand, since reception transition +10 is executable in state 0.0, it can be seen that +1.0 is executable in state 10 as well. Therefore, draw an arrow with the label +10 and a circle for this execution. According to the rules explained above, Figure 1
An expanded version of an example protocol is shown in FIG.

Next, a method for stopping expansion will be explained using the above example.

The L value of state 06 of process 1 is (0, 6, 1, 5), and the signals accumulated in the channel due to the transmission transition and reception transition up to the L value of each process are 1.3 and 2.3. .

The L value of state 01 of process l is (0, 1, 1, C1), and the number of signals accumulated in the channel due to the transmission transition and reception transition up to the L value of each process is 10.20.

Since these signals for states 06 and Ol are equal, the state transitions between states o, i and 0.6 -1, 2, -2, 2, +
3. ．． 1°-1, 3, -2, 3, +3.2. +3.4
．． +3.5 is repeated from 06 onwards. However, the numbers below '・'' are different. Therefore, the expansion is stopped at state 0.6. For the same reason, it is stopped at state 0.8. Process 1
The system state consisting of state 0.0 of process 2 and state 0.0 of process 2 is a stable state in which no signal is accumulated in the channel. Process 1 state 0.5 and process 2 state 0
The system state consisting of 6 and also consisting of state 0.3 of process l and state 04 of process 2 are similar stable states. Since each element in these stable states matches, the subsequent expansion is repeated, so the state 0.5.0.
It will be stopped in 3.0.4. In order to abbreviate the L value in FIG. 2, only the states of other processes other than the process itself are partially shown. Also, among the signals accumulated in the channel due to the transmission transition and reception transition up to the L value, processes 1 to 2
The signal on the channel from process 2 to 1 is shown as a scratch while the signal on the channel from process 2 to 1 is shown.

Although the state transition diagram shown in FIG. 2 is obtained for the protocol example shown in FIG. 1, it is not possible to repeatedly stop the following expansions by using only the above-mentioned conventional technique for stopping the expansion. This is because the protocol of FIG. 1 allows an infinite number of signals to be accumulated on channels between processes.

(Problems to be Solved by the Invention) In the above-described conventional technology, logical contradictions can be detected only for protocols in which the number of signals accumulated in channels between processes is limited. In the technology proposed in this invention, protocol logic verification is performed for some protocols in which the number of signals accumulated in channels between processes is infinite in addition to protocols in which the number of signals accumulated in channels between processes is finite (subsidiary stock for solving problems). The present invention was made in view of the above-mentioned drawbacks of the prior art.
The purpose is to provide a protocol logic verification method that can detect logical contradictions even in protocols where the number of signals accumulated in channels between processes is infinite. Even if a stopping condition is added, logical contradictions such as deadlocks will not fail to be detected.

Further, the number of states and the number of state transitions to be developed can be reduced within a range that does not interfere with detecting logical contradictions.

(Operation) According to the present invention, for protocols in which the number of signals accumulated on channels between processes is finite and some protocols in which it is infinite, the state reached while performing azaicrinok-like expansion of state transitions for each process. When is the same as the state that appeared before, the expansion of the subsequent state transition is considered to be the same as the expansion of the state transition after the previously appeared state, and the expansion operation is stopped, resulting in undefined execution. Detect possible transitions, defined infeasible transitions, deadlocks, and overflows.

(Example) The protocol to be verified in this example is the example protocol shown in FIG. 1, as in the prior art.

Here, we will summarize the protocol specifications, assumptions, and terms for explanation.

The protocol generally consists of the following 4-term set P-(Ql'O1M
, 5ucc). However, Q-(Q,, -,Q
N), o=(01,...+ON)+M-(M
,,,..., MNN ), 5LICC is (Jx(
Mij UMji )→Q1(1ku1kuN,]kujkuN
).

Here, N is the number of processes making up P, Ql is the state set of process 1, o 16 Q ; is the initial state of process l, and Mll is the set of signals transmitted from process i to J through channel (i, i). , 5ucc (sH.

X ) -1i (s 1.(:Ql, ti6Q1)
xgM1; Thea indicates that transmitting the signal X in state S1 will result in state t1, and x G M J indicates that receiving signal X in state S1 will result in state ti. That is, 5ucc is a state transition.

The protocol is described by a finite state machine, and for convenience of description, a labeled directed graph I-(Vi, ”'i ) (l<i
It is expressed as an N-item set P-(i-mount, . . . l HN ) of N). Set of nodes ■i = Q i, set of directed edges E,
(壬V1XV1) is defined as follows. Sl and Ql +
t 16 Q l, X'MIJ.

LIMJl, 5ucc (si, x)-1, and only then N (S+ + ti)'
E EI. Furthermore, each (sl, tl) (for 9Ei, if
If so, you can ask for the label +X. Here, vl represents the state of process 1, and E represents the state transition of process I. -X and +X represent transmission and reception of signal X, respectively.

In describing the protocol, we make the following assumptions.

■ The time required for signal transmission between processes is a finite non-negative value.

■゛ The state transition within the process is deterministic, and the time required for it is assumed to be zero.

■ The reception order of signals sent and received between processes is the same as the transmission order.

The global state of protocol P is the following binary set G, =
'(S, C). However, S−(sI + ”'+
"N) rs11E'Q+'(I<i<N')+
C-(CIJ+-9CNN)l cijg Mi'
It is j. cBeM, *j is cHj=g (all series) or CIJ E MIJ
> 1. ) represents.

″·n Here, S represents the state of each process, and C represents the signal sequence remaining in each channel between processes.

Global state represents system state. Cij"Xl,
..., Xm is a process i sends a signal to J, and
represents a signal sequence in which process J has not received a signal from 1;・Concatenation of signal sequences
) represents. The transmission order of process I and the reception order of process J are both XI, . . . , Xm from the left.

From Mii-φ, C1 for all i (1 x i<:N)
1=ε. Hereinafter, such a signal sequence will be referred to as the unprocessed signal on channel (i, j).

Define a binary relation 1- on the set of G. Now, Q-(S
, C), S-(s, ,...+'"N)+
C-(CIJ +...r CNN) + G'-
(Bt, Ct), Bt-(I..., pleasure),
Let C/=(C/I, . . . , C brass). The necessary and sufficient condition for Gl-G' is the following condition (I) or (2
) there exists a process L3 and a message X that satisfy

The other elements of are the same for G and G'. At this time, the channel (
It is said that signal X was inserted into i and D.

The elements of are the same for both G and G'. At this time, channel (i
, J).

Here, (11 and (21) change the states of processes i and J from Sl and S to Sr by transmitting and receiving one signal X, respectively.

S' and the state of channel (i, i) becomes 01. from 0
1'I.

There is a necessary and sufficient condition for 014G' to be n(n〉O
) For K, G = G0 to G, 1----・1-Gn=G
'Theal.

1i is the reflective and transitive closure of 1-.
ve and transitive closure
). That is, for all G, a 1j-a, and for different G, Gl, G", G-Gl and G'
l-! -G”, then G is q.G51-!-c+
Then, we say that G is reachable from G. C8-G. Then we simply say that G is reachable. However, Go ””
(so, co), 5o-(ol+ ”', 0'N
)+Co-(Sr''+ε).

In protocol P, ordered pair (Sr X) r s
6 Qr.

x6M is called a transmission pair, and the ordered pair (s, X), S f
E Qi rX G MJ + is called a receiving pair. 5uc
c (s, x) is defined in protocol P, then (s, x) is specified (5peci f
ied ). G = (S, C), S = (s
,.

``'r Si + ''・+ sN) + C-(CI+
+ ”'y CNN) is reachable, then send pair (s
i, x), xεM1. is said to be feasible. G=
(, S, C), S-(s,,...+Si+...
・.

SN), C-(C11,...+Cji+...1CN
N) is reachable and C = x-Y, x4'
M31. If Y and M,i, then the receiving pair (sl, x
) is said to be executable.

Based on the above preparations, the following five items are to be verified in the protocol logic verification of the present invention.

(1) Undefined executable transition
d executable rans itio
n) Receive transitions that are not included in the protocol specification but are executable.

(2) 5specified unexecutable transition
executabletransition) A send or receive transition that is included in the protocol specification but is not executable.

(3) Deadlock: A system state in which the state transitions of all processes are impossible to execute, and the signals remaining in the channels between processes are not fully active.

(4) Finite opaf o − (bounded, over
f low ) A system condition in which the number of signals stored on a channel between processes exceeds the buffer capacity of the receiving process.

(5) Infinite opuff q = (unbounded o
verflow) between processes. A system state in which the amount of signal stored on a channel is infinite.

FIG. 3 is a block diagram showing one embodiment of the present invention. In Fig. 3, 1 is a memory that stores protocol specifications given from the outside, 2 is an initial setting block that sets initial values of various variables used in verification processing, and 3 is a block that stores executable transmission transitions in the expanded state. The block to be extracted, 4, is a block that adds a new state and transmission transition to the expansion diagram by executing the transmission transition, calculates the L value of that state, and determines whether the expansion can be stopped in this state. , 5 is 4
A block 6 adds a new state and reception transition to the expansion diagram by executing the reception transition corresponding to the transmission transition, calculates the L value of that state, and determines whether expansion can be stopped in this state. Move the receive transition sequence that is executable in the source state of the send transition to the destination state, add the new state and receive transition to the expansion diagram, calculate the L values of those states, and perform the expansion in this state. 7 is a block that detects undefined executable transitions, defined unexecutable transitions, deadlocks, and finite overflows; 8 is a block that determines whether or not it can be stopped; 8 is a block that determines whether the number of signals accumulated on the channel between processes is infinite; A block 9 detects a state in which the current state occurs, that is, an infinite overflow, and a block 9 is a memory that stores a developed diagram, etc., which is a verification result, and various variables. FIG. 4 shows a storage format when protocol specifications are stored in the memory 1. Further, FIG. 5 shows a storage format in which developed diagrams and specification errors are stored in the memory 9 in tabular form. The development diagram obtained as a result of applying the protocol example of FIG. 1 to the embodiment of FIG. 3 is obtained by removing the development from A onward in FIG. 2. Since the operation of the embodiment of FIG. 3 is the same as the prior art except for block 8, only the method of stopping the expansion and block 8 will be described.

We will describe a method for stopping acyclone expansion.

When the following three conditions (11 to (3)) are satisfied, ii is S
This is called the preceding state of l. At this time, S is said to be marked with type 0. X and Y are 0. Let the transition series be from 1° to 1°, s, respectively.

(1) X is a subsequence of Y.

(2) For all processes j (including i), L J (
t+.

X) and 1 (sl, Y) match.

(3) X and R7 (tl, X
) after sending and receiving signals on any channel (in 1)
(]<k, l<N) remaining unprocessed signal sequence (
This is hereinafter referred to as 0 item) is the same as the transmission after the signal transmission and reception on Y and horse (SI, Y).

Although (1) does not hold in the above definition, (2) and (3)
When the following holds true, Si is said to be marked with type 0. At this time, only one of X and Y will be expanded.

It is said that when the following three conditions (1) to (3) are met, the data can be sent from tl to 51. Let X and Y be transition series from 01 to tl and sl, respectively.

(1) The last signal on X received from process l and the last signal on Y sent to process J match.

(2) Lk(tl, Y
) and Tk(SJ, X) are on the same transition series.

(31Sj is reachable from LJ(tl, Y).t
If all S3s to which l can be sent are marked with type O, then tl is said to be marked with type 1.

In the acyclically expanded protocol, the stable global states G = (S, C), S = (s
,.

...+si+..., S4. ...l5N) already exists, tl is reachable from Si, and for further j Ig, (t, L X) is S,
ti is said to be marked with type 2 if it is reachable from .

If the state transition entering 81 in the above definition is a receive transition, sl is immediately marked with type 2.

(]9) In order to determine infinite overflow, the following definition is added to the stopping method of acyclohex-like expansion.

A state s that satisfies the following three conditions (1) to (3);, J
A state,U,is said to be marked with type 3 if,. Let X, Y, and Z be the respective transition series from 0° to Sl, tl, and ul.

(1) X is a subsequence of Y, and Y is a subsequence of Z.

(2) 1 x (sl, X), 1 x (ti) for every process J.

Y) and LJ (u+, Z) match.

(3) Any channel < k, l after sending or receiving a signal on Rj (ul, Z ) for all processes j
) (1<:, l<N) remaining unprocessed signal sequence Ck.

(1<:N, t6N) is RJ (t r , Y
) and horses (Sl.

X) each C1' after sending or receiving the above signal
and has the following relationship with CSl. d is a certain series ke
Let it be u.

(d) pp〉O C product = (diqq〉O, q〉p C-+d)2qr) However, at least one set of q > p o for l is more intuitive than the above definition. It can be seen that the state of Ckl is monotonically increasing, so it is determined that there is an infinite overflow,
Deployment is stopped.

In the method for determining infinite overflow as defined above, if there is no deletion message sequence, and if a non-negative integer q exists, it is determined that there is an infinite overflow. However, at least one channel (k.

q~O8 for l) When all executable send or receive pairs are added and the states of each process are marked, the acyclic protocol evolution is stopped.

For the example protocol of FIG. 1, block 8 of the embodiment of FIG. 3 operates as follows. The L value of state 0.1 of process 1 is 1.0, and the unprocessed signal sequence of channel (12) is 1
．． It is 0.2.0. The L value of state 05 of process 1 is 1
2, and the unprocessed signal sequence of channel (1, 2) is 12
・22・13・23. Process 1 state 09 L
The value is 1.5, and the unprocessed signal sequence of channel (12) is 13.2.3.14.24.1.5.24.

Therefore, state 09 is marked with type 3.

After 09, the state transition series -1, -2, +3. -1. −
2. +3 is repeated and signals 1 and 2 are accumulated, so it is determined that there is an infinite overflow. Similarly, state 0.7 of process 2 is also marked with type 3. As a result of the above results, the acyclic expansion for the example protocol of FIG. 1 is stopped.

The infinite overflow detection method of the present invention is a protocol logic verification method that generates a global state.
9-192491).

We extend the infinite overflow test method and show a method that can be applied to protocols with timeout functions that often appear in practice.

We apply a process-aware state transition expansion method that includes determination of infinite overflow to protocols that are actually in use. An example of this is Alternating BitProt.
ocol (hereinafter abbreviated as A, 13P) will be taken up.

This protocol is the American AR, PA (Adv
ancedResearch Project Age
ncy) network and European BIN (Eu
ropean Informatics Network
k). FIG. 6-(a) shows a state transition diagram of ABP.

In the figure, Error represents a message transmission/reception error, and T represents a timeout. For convenience of explanation, it is assumed that there are no errors. Figure 6-(a) as New data, Del
Figure 6-(b) is simplified by excluding 1ver data etc.
It becomes l. In the figure, a self-loop that is a state transition that returns to the same state represents a timeout transition. A superscript is added to distinguish between the same sent messages. For example, -Do is -D', -Do2, -D. Distinguish from 3. Of these, -1). 2 represents timeout. +Do represents three messages: +Do', +Do'', and +Do''. State 1 is the initial state.

The method of the present invention described above is applied to the protocol shown in FIG. 6-(b). However, if applied as is, the total number of states and state transitions that are expanded acyclically will increase, so
In order to reduce this, we expand the expansion method as follows.

Let R1 be a set of state transition sequences from the initial state of process i to return to the initial state again. An infinitely repeated signal sequence is j
If R1 includes (>0) times, then R1= n, y
It can be expressed as urtHu...uaiu... If the channel state in the initial state returned again is a protocol that satisfies the recursive property regarding j of R, it is not necessary to expand all of R1, but only R, g, and R% need to be expanded. The above processing is performed for each process.

Figure 7.8 shows the results of applying the extended expansion method to the protocol in Figure 6-(bl).The expansions below A are omitted.

In the figure, → and + represent the first and second timeout signal transitions, respectively. This timeout transition corresponds to the infinite repeat sequence described above. For example, in Figure 7 (-D3.0)
(+A8〇)・(-D:;0)・(10゛A+';o)
Is it R? belongs to (-DL;0)・(D,!;o)・(+
Hehe;0)・(-Di;t)・(+Aoo;
O)・(”? 20)・(+Al;l) belongs to R1. Let the former be r4 and the latter r2.

In the case of ABP, the following recursive property holds for the state transition sequence belonging to R.

If rεR1 contains i timeout transitions (-Dg), the channel state returns to the initial state ""
(CI2+ 021) becomes as follows.

For channels (1,,2), c,2=(D,)'.

For channel (2,j), C2+-ε (academic series).

For example, since it does not include a timeout transition for r,
Cl2=ε+C21""ε, timeout for r2°
Since it includes one transition, c,2=DL c2. =ε
It becomes.

However, since the group 1 opening after the end of ring R1 is a repetition of R1,
The stopping method can be obtained by extending the process-compatible state transition expansion method as explained above using the method for determining infinite overflow.
Logical verification of ABP becomes possible.

In general, the extended expansion method is effective for protocols with timeout transitions, such as ABP.

(Effects of the Invention) As explained in detail above, the protocol logic method according to the present application, compared to the conventional method, can be used not only for protocols with a finite number of signals accumulated on channels between processes, but also for protocols with an infinite number of signals. Logical verification is also possible for some parts. This method can detect all undefined executable transitions, undefined executable transitions, deadlocks, and finite overflows, including infinite overflows that often appear in actual protocols. Furthermore, this method can be extended to include the Quim-Au1 function, which is an example of a practical protocol.
Logical verification of ingBit Protocol has become possible by reducing the amount of processing required for verification processing.

[Brief explanation of drawings]

Figure 1 shows an example of the protocol to be verified, Figure 2
is a state transition development diagram of the protocol in FIG. 1, FIG. 3 is a block diagram showing an embodiment of the present invention, FIG. 4 is a diagram showing an example of the storage format of the memory 1 in FIG. 3, and FIG. 5 is a diagram showing verification results. 6 is A,
The state transition diagrams of BP, FIGS. 7 and 8, are diagrams showing the results of applying the extended expansion method to the protocol. Figure 1 Process 1 Process 2 (α)
(b) Fourth skillful leap (d) Dayy￥ U-t716” iEiIg(e
) 7 Tl race-pa lowe) black ↑Δx-) <'flow for 6 figure <O,)

Claims (1)

[Claims] A logical verification of a protocol that inputs a protocol specification between a plurality of processes expressed by electrical signals, and verifies the protocol specification while transitioning the state of each protocol according to transition information included in the protocol specification. In this method, expansion is executed while performing state transitions by associating transmission transitions and reception transitions for each process, while monitoring the system state defined by each process state and the signal state of the channel, and If the process state in the system state is the same as the process state in the system state that has already appeared, compare the signal state of the channel in the system state that has already appeared with the signal state of the channel in the current system state. When the channel signal amount is large, the process state and the increasing signal sequence of the channel signal state are stored in memory, and in subsequent deployment, the process state and the same process state and the same as the stored system state are stored again. A protocol logic characterized by having at least means for determining that, when a system state having an increasing signal sequence of channel signal states appears, the channel in that state has an infinite overflow, halting expansion, and outputting an electrical signal representing a specification error. Verification method.