WO2011096037A1 - Procédé de vérification de modèle de spécification et dispositif de vérification de modèle de spécification - Google Patents

Procédé de vérification de modèle de spécification et dispositif de vérification de modèle de spécification Download PDF

Info

Publication number
WO2011096037A1
WO2011096037A1 PCT/JP2010/051402 JP2010051402W WO2011096037A1 WO 2011096037 A1 WO2011096037 A1 WO 2011096037A1 JP 2010051402 W JP2010051402 W JP 2010051402W WO 2011096037 A1 WO2011096037 A1 WO 2011096037A1
Authority
WO
WIPO (PCT)
Prior art keywords
model
target value
functional block
satisfy
design
Prior art date
Application number
PCT/JP2010/051402
Other languages
English (en)
Japanese (ja)
Inventor
将計 八木
康文 鈴木
雄一郎 中川
秀人 野口
Original Assignee
株式会社日立製作所
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 株式会社日立製作所 filed Critical 株式会社日立製作所
Priority to PCT/JP2010/051402 priority Critical patent/WO2011096037A1/fr
Priority to JP2011552593A priority patent/JP5524244B2/ja
Publication of WO2011096037A1 publication Critical patent/WO2011096037A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/3604Software analysis for verifying properties of programs
    • G06F11/3608Software analysis for verifying properties of programs using formal methods, e.g. model checking, abstract interpretation

Definitions

  • the present invention relates to a design model inspection method and an inspection apparatus that describe software processing functions based on a product specification model that describes product specifications.
  • the target product system is described in a language / model based on a mathematical basis, and whether the target value required by the system is satisfied, the validity of the system specifications is strictly enforced.
  • the application range of the model checking technique is limited to a model having a small number of states, such as a product specification model describing the specifications of the product system and a design model for each functional block obtained by dividing the specifications of the product system by processing functions.
  • a technique for reducing the number of states of the model to be inspected is required.
  • Patent Document 1 investigates whether or not the state transitions of a plurality of instructions in an operation model are the same after a certain stage, and when they become the same, the operation model is operated as a single instruction after that stage. Describes how to create a model that reduces the number of states in the description.
  • the model check is performed by allowing the user to specify the relationship between the state variables that are variables in the model for indicating the state of the element whose state changes. Describes a method for reducing the number of system states used in the system.
  • a specification model and a target value represented by a transition of a plurality of functional blocks including at least a first and a second functional block are input, and a state transition is performed for each of the plurality of functional blocks.
  • a first functional block having a state transition that does not satisfy the target value in the verification of the functional block is verified by inputting whether the expressed design model and the target value are input, and verifying whether each of the plurality of functional blocks satisfies the target value Is extracted, the target value of the first functional block is reset to a value required for the state transition that does not satisfy the target value, and the target value of the first functional block is reset for the second functional block.
  • a second functional block deformed design model is generated by excluding state transitions that are not related to the constraint condition causing the unexplained state transition from the second functional block design model, and the second functional block deformed design model is reset.
  • the target value of the second functional block is satisfied, a result that the specification model satisfies the target value is output.
  • a specification model and a target value represented by transitions of a plurality of function blocks including at least the first and second function blocks are input, and a first model that generates a specification verification model
  • a plurality of functional blocks, a design model represented by a state transition and a target value are input, and a second model conversion unit that generates a design verification model, an input of a specification verification model and a design verification model
  • the model check unit that checks whether the model satisfies the target value, and the state that does not satisfy the target value from the design model of the first functional block that is determined not to satisfy the target value by the model check unit
  • a counter example extraction unit that extracts a transition, and a state transition that is not related to a constraint condition that causes a state transition that does not satisfy the target value in the first functional block.
  • a design model management unit for generating modified design model of the second functional blocks except the block design model.
  • a method for verifying that a target value of a product specification is satisfied in a functional block design model having a complicated dependency relationship is provided, thereby eliminating a problem caused by the functional block design model. The cost required for this is reduced.
  • Model checking is a technique for strictly verifying system specifications by describing a target system with a state transition model and confirming that the system satisfies a target value.
  • FIG. 1 is a diagram showing processing of a model checking apparatus according to an embodiment.
  • the model checking apparatus 10 can be realized by a computer system including a general computer, a storage device, an input / output device, and a display device.
  • a model conversion unit 101, a model checking unit 102, a counterexample extraction unit 103, and a design model management unit 105 can be realized as programs executed on a computer system.
  • a product specification designer interprets a product specification of a product system to be developed, creates a product specification model 111 described by state transitions of a plurality of functional blocks, and a target value 112 of the product specification.
  • the model checking apparatus 10 converts the product specification model 111 into a product specification verification model 113 by the model conversion unit 101 a and inputs the product specification model 111 to the model checking unit 102 and inputs the target value 112 of the product specification to the model checking unit 102.
  • the model checking unit 102 verifies whether the product specification verification model 113 satisfies the product specification target value 112 and outputs a product specification verification result 114.
  • the functional block designer interprets the product specification model 111, creates a design model 121 in which the functional block is described by state transition, and a target value 122 of the functional block, and inputs them to the model checking apparatus 10.
  • the model checking apparatus 10 converts the functional block design model 121 into a functional block design verification model 123 by the model conversion unit 101b and inputs the functional block design verification model 123 to the model checking unit 102. 102.
  • the model checking unit 102 verifies whether the functional block design verification model 123 satisfies the target value 122, and outputs a functional block verification result 124.
  • the counterexample extraction unit 103 extracts the functional block that does not satisfy the target value of the functional block and the counterexample 104 that is the condition from the functional block verification result 124.
  • the design model management unit 105 Based on the product specification model 111 and the target value 112 of the product specification, the design model management unit 105 adjusts the functional block design model 121 and the target value 122 from the counter example 104, and the model checking unit 102 verifies the functional block. Is carried out again. Further, the design model management unit 105 displays the counter example 104 in the functional block design model 121 on the display device so that the designer of the functional block can check (counter example 130).
  • Fig. 2 shows an example of the product specification inspection flow in the product specification model.
  • the product specification designer interprets the product specification and sets the target value 112 of the product specification model (step S201).
  • the product specification designer creates a product specification model 111 from the product specification (step S202).
  • the model conversion unit 101a converts the product specification model 111 into the product specification verification model 113 in order to execute model checking (step S203).
  • the model checking unit 102 verifies that the product specification verification model 113 satisfies the target value 112 of the product specification (step S204).
  • step S204 when the product specification verification model 113 does not satisfy the target value 112 of the product specification (No in step S204), the product specification designer recreates the product specification model 111 (step S202). If the product specification verification model 113 satisfies the target value 112 of the product specification (Yes in step S204), the process is terminated.
  • Fig. 3 shows an example of the product specification inspection flow of the functional block design model.
  • the functional block designer sets the target value 122 of the functional block constituting the product specification model from the product specification model 111 (step S301).
  • the functional block designer interprets the product specification model 111 and creates a functional block design model 121 (step S302).
  • the model conversion unit 101b converts the functional block design model 121 into the functional block design verification model 123 in order to execute model checking.
  • the model checking unit 102 verifies that the functional block design verification model 123 satisfies the functional block target value 122 (step S304).
  • step S304 when the functional block design verification model 123 satisfies the target value 122 of the functional block (Yes in step S304), the functional block design verification model 123 satisfies the target 112 of the product specification. The process is terminated.
  • the process proceeds to the next step S305.
  • step S305 the counterexample 104, which is a condition that the functional block does not satisfy the target value, is extracted from the functional block verification result 124.
  • a counterexample path ⁇ Cx ⁇ is extracted from the counterexample 104 in the functional block design model (step S306).
  • the target value of the functional block having the counterexample path ⁇ Cx ⁇ is set as the processing time of the counterexample path ⁇ Cx ⁇ (step S307).
  • the target value 122 of the functional block not having the counterexample path ⁇ Cx ⁇ is reset so as to satisfy the target value 112 of the product specification (step S308).
  • a constraint condition for transitioning the counterexample path ⁇ Cx ⁇ is extracted from the design model of the functional block having the counterexample path ⁇ Cx ⁇ (step S309).
  • the design model 121 of all functional blocks is transformed into a state transition model from which paths unrelated to the constraint conditions are deleted (step S310), and the process proceeds to step S303.
  • FIG. 4 is a flowchart showing an example in which counterexamples 130 on the functional block design model are displayed to the functional block designer in the design model management unit 105 when the functional block design verification model 123 does not satisfy the target value 122. is there.
  • the counter example path ⁇ Cx ⁇ in the functional block design verification model 123 that does not satisfy the target value is extracted from the counter example 104 extracted by the counter example extraction unit 103.
  • a constraint condition related to the counterexample path ⁇ Cx ⁇ is extracted (step S402).
  • a path related to the constraint condition is extracted (step S403).
  • the extracted path is displayed to the functional block designer (step S404), and the process ends.
  • FIG. 5 is a diagram illustrating an example of the product specification model 111 and the target value 112 of the product specification.
  • the product specification model 50 is represented by a state transition diagram configured by a state 51 that is a functional block and an arrow 54 of a transition path.
  • an arrow 54 indicates the direction of state transition, and a time 52 required for the transition is given.
  • the state 51 is assigned a target value 55 for processing in the functional block.
  • a target value 53 of the product specification that satisfies this product specification model is given.
  • the state transition of the product specification model 111 mainly does not include a restriction condition for branching.
  • the function block B transitions to the function block B with the target value 5 sec at 0 sec.
  • the function block C transitions to the function block C having the target value of 5 sec at 0 sec and the processing of the function block C is completed, the entire processing is completed.
  • the target value 53 of the product specification is 15 seconds, and the entire process is finished in 15 seconds. Therefore, when this product specification model is verified by the model checking unit 102, the verification result that “the target value of the product specification is satisfied” is obtained. Is output.
  • FIG. 5 In the example of FIG.
  • the product specification verification model 113 generated by the model conversion unit 101, when the respective target value T A ⁇ T C of the functional blocks A ⁇ C, (T A + T B + T C) ⁇ 15sec It is given as (Equation 1). Although details are omitted, the model checking unit 102 outputs a product specification verification result 114 depending on whether or not Expression 1 is satisfied based on the target values verified for the functional blocks A to C in FIG.
  • the functional block design model 60 is represented by a state transition model including a state 61 and a transition arrow 64.
  • the arrow 64 indicates the direction of the state transition, and the restriction condition of the transition branch and the time 62 required for the transition are attached.
  • the condition for transition from the state S1 to S2 shown in FIG. 6 is when the global variable var1 is 1, and the condition for transition from the state S1 to S3 is when the global variable var1 is 2, and the state S1 to S4 changes.
  • the transition condition is when the global variable var1 is 3.
  • the branch constraint 62 is *, it means that the state transitions unconditionally.
  • Each functional block ends the processing of the functional block by reaching the end state 612 in which the transition is made from the start state 611 receiving the transition from the other functional block to the other functional block.
  • the design model notation is the same as in FIG.
  • the model checking unit 102 verifies whether the target value of the functional block is satisfied and outputs the result.
  • the functional block design verification model 123 generated by the model conversion unit 101 is the target value for all transition paths that can be taken to reach the end state 612 from the start state 611, as in the example of FIG. 5. It is given by satisfying 63.
  • the model conversion unit 101 extracts a transition path that reaches the state So from the state Si as a verification model, calculates the time required for the transition, and sets the time required for the transition in all the transition paths as a target value. Create a model that verifies whether it fits within.
  • the model checking unit 102 indicates that the functional block design model 60 shown in FIG.
  • the verification result “B satisfies the target value” is output.
  • the design model 70 of the functional block C shown in FIG. 7 includes paths ⁇ Si (711) ⁇ S1 (713) ⁇ S4 (716) ⁇ S3 (715) among the paths that reach the end state 712 from the start state 711.
  • FIG. 10 shows a table as the verification model. At this time, since the target value 73 of the functional block C is within 5 seconds, the model checking unit 102 compares the transition time in the table of FIG. 10 with the target value, and “the functional block C does not satisfy the target value”. The verification result is output. Processing when the functional block design model does not satisfy the target value (steps S305 to S310) will be described below.
  • the model checking unit 102 outputs a result 124 that does not satisfy the target value 73.
  • the counterexample extraction unit 103 extracts a counterexample path ⁇ Si (711) -S1 (713) -S4 (716) -S3 (715) -S5 (717) -So (712) ⁇ ( Step S305 and Step S306).
  • the design model management unit 105 fixes the processing time 6 sec of the counterexample path as the target value 93 of the functional block C (step S307).
  • the target value of the functional block not including the counter example path is reset so as to satisfy the target value 53 of the product specification.
  • the target value of the functional block not including the counterexample path is adjusted so as to satisfy the above-described (Expression 1).
  • the target value 83 of the function block B is changed to 4 sec
  • the target value of the function block A is 5 sec
  • the target value of the function block B is 4 sec
  • the target value of the function block C is 6 sec
  • the target value of the product specification is 15 sec. Is satisfied (step S308).
  • This can be realized by the functional block designer confirming the counterexample displayed on the display device, resetting target values of other functional blocks, and inputting the reset target values to the model checking device 10. it can.
  • step S304 it is verified whether the modified design models 80 and 90 satisfy the reset target values 83 and 93 (step S304).
  • the processing time is set as the target value for the design model of only the counterexample path, so the model checking unit 102 gives the verification result that “the functional block C satisfies the target value”. Output. Further, since all the paths of the design model 80 of the functional block B satisfy the target value 4 sec, the model checking unit 102 outputs a verification result that “the functional block B satisfies the target value”. Therefore, although the function block that does not satisfy the target value of the function block is included finally, the result that the target value of the product specification is satisfied is obtained.
  • Model checking device 101: Model conversion unit, 102: Model checking unit, 103: Counterexample extracting unit, 104: Counterexample, 105: Design model management unit, 111: Product specification model, 112: Product specification target value, 113: Product specification verification model, 114: product specification verification result, 121: function block design model, 122: function block target value, 123: function block design verification model, 124: function block verification result.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Design And Manufacture Of Integrated Circuits (AREA)
  • Stored Programmes (AREA)

Abstract

Selon l'invention, dans une vérification de modèle de spécification exprimée par une transition d'une pluralité de blocs de fonction, il est vérifié si une valeur cible est satisfaite ou non par rapport à chacun des blocs de fonction. Suite à une extraction d'un bloc de fonction ayant une transition d'état qui ne satisfait pas une valeur cible, le bloc cible est affiné de façon correspondant à la transition d'état, et des valeurs cibles d'autres blocs de fonction sont également affinés de façon correspondant à la valeur cible du modèle de spécification. Sous la restriction que le bloc de fonction extrait viole la valeur cible, si les autres blocs de fonction satisfont les valeurs cibles affinées, il est déterminé que le modèle de spécification satisfait la valeur cible.
PCT/JP2010/051402 2010-02-02 2010-02-02 Procédé de vérification de modèle de spécification et dispositif de vérification de modèle de spécification WO2011096037A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/JP2010/051402 WO2011096037A1 (fr) 2010-02-02 2010-02-02 Procédé de vérification de modèle de spécification et dispositif de vérification de modèle de spécification
JP2011552593A JP5524244B2 (ja) 2010-02-02 2010-02-02 仕様モデル検査方法および仕様モデル検査装置

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2010/051402 WO2011096037A1 (fr) 2010-02-02 2010-02-02 Procédé de vérification de modèle de spécification et dispositif de vérification de modèle de spécification

Publications (1)

Publication Number Publication Date
WO2011096037A1 true WO2011096037A1 (fr) 2011-08-11

Family

ID=44355066

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2010/051402 WO2011096037A1 (fr) 2010-02-02 2010-02-02 Procédé de vérification de modèle de spécification et dispositif de vérification de modèle de spécification

Country Status (2)

Country Link
JP (1) JP5524244B2 (fr)
WO (1) WO2011096037A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2018060421A (ja) * 2016-10-06 2018-04-12 株式会社東芝 情報生成システム、装置、方法、及びプログラム
JP7490656B2 (ja) 2018-12-20 2024-05-27 コミッサリア ア レネルジー アトミーク エ オ ゼネルジ ザルタナテイヴ 通信を形式的に監視するためのシステム

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2004326366A (ja) * 2003-04-23 2004-11-18 Matsushita Electric Ind Co Ltd プログラム検証生成装置およびプログラム検証生成方法
JP2009116648A (ja) * 2007-11-07 2009-05-28 Hitachi Ltd ソフトウェアの設計支援方法、設計支援装置及び設計支援プログラム

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2004326366A (ja) * 2003-04-23 2004-11-18 Matsushita Electric Ind Co Ltd プログラム検証生成装置およびプログラム検証生成方法
JP2009116648A (ja) * 2007-11-07 2009-05-28 Hitachi Ltd ソフトウェアの設計支援方法、設計支援装置及び設計支援プログラム

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
TOSHIAKI AOKI: "Ko Shinraisei Kumikomi Software Kaihatsu - Saishin Gijutsu Doko to Torikumi - 2 Keishikiteki Shuho ni yoru Ko Shinraisei Kumikomi Software Kaihatsu", JOHO SHORI, vol. 47, no. 5, 15 May 2006 (2006-05-15), pages 491 - 497 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2018060421A (ja) * 2016-10-06 2018-04-12 株式会社東芝 情報生成システム、装置、方法、及びプログラム
JP7490656B2 (ja) 2018-12-20 2024-05-27 コミッサリア ア レネルジー アトミーク エ オ ゼネルジ ザルタナテイヴ 通信を形式的に監視するためのシステム

Also Published As

Publication number Publication date
JP5524244B2 (ja) 2014-06-18
JPWO2011096037A1 (ja) 2013-06-06

Similar Documents

Publication Publication Date Title
US10354042B2 (en) Selectively reducing graph based analysis pessimism
US8560983B2 (en) Incorporating synthesized netlists as subcomponents in a hierarchical custom design
US7124070B2 (en) Method of and apparatus for, and program for verifying equivalence between behavioral description and register transfer level description
JP5524244B2 (ja) 仕様モデル検査方法および仕様モデル検査装置
CN111400716A (zh) 一种基于操作系统的安全机制验证方法
US8863054B1 (en) Innovative verification methodology for deeply embedded computational element
US11630938B1 (en) Failure mode analysis for circuit design
US11775719B1 (en) Cell instance charge model for delay calculation
JP4950942B2 (ja) 半導体集積回路の検証装置
CN113489068B (zh) 一种电力系统机组组合方法及系统
JP4831375B2 (ja) 検証装置、検証方法、及びプログラム
Ciesielski et al. Arithmetic bit-level verification using network flow model
CN105512381A (zh) 时钟延迟验证方法
US10860757B1 (en) Multicorner skew scheduling circuit design
US9594860B2 (en) Analog mixed signal model equivalence checking
JP6279750B2 (ja) ソースコード等価性検証装置
US10902167B1 (en) Feedback-aware slack stealing across transparent latches empowering performance optimization of digital integrated circuits
US20100192111A1 (en) Performing logic optimization and state-space reduction for hybrid verification
JP4702357B2 (ja) 動作レベル記述とレジスタ転送レベル記述間の等価性検証方法及び装置並びにプログラム
US20200074309A1 (en) Systems and methods to semantically compare product configuration models
US9424380B2 (en) Augmented simulation method for waveform propagation in delay calculation
US11574103B2 (en) Addressing layout retargeting shortfalls
JP2003076739A (ja) 論理検証装置及び方法並びにプログラム
Le-Huu et al. Asynchronous circuit verification: from specification to circuit
Anupama et al. Decision-Table Based Testing

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10845174

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 2011552593

Country of ref document: JP

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10845174

Country of ref document: EP

Kind code of ref document: A1