WO2014199496A1 - Program verification device, program verification method, and program - Google Patents

Program verification device, program verification method, and program Download PDF

Info

Publication number
WO2014199496A1
WO2014199496A1 PCT/JP2013/066381 JP2013066381W WO2014199496A1 WO 2014199496 A1 WO2014199496 A1 WO 2014199496A1 JP 2013066381 W JP2013066381 W JP 2013066381W WO 2014199496 A1 WO2014199496 A1 WO 2014199496A1
Authority
WO
WIPO (PCT)
Prior art keywords
interrupt
program
verification
target program
verification target
Prior art date
Application number
PCT/JP2013/066381
Other languages
French (fr)
Japanese (ja)
Inventor
誠 磯田
Original Assignee
三菱電機株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 三菱電機株式会社 filed Critical 三菱電機株式会社
Priority to JP2015522353A priority Critical patent/JP5951130B2/en
Priority to PCT/JP2013/066381 priority patent/WO2014199496A1/en
Publication of WO2014199496A1 publication Critical patent/WO2014199496A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/3604Software analysis for verifying properties of programs

Definitions

  • the present invention relates to a technique for verifying a program (hereinafter also referred to as software).
  • Control S / W which is a kind of embedded software (hereinafter also referred to as S / W), is rapidly increasing in scale and complexity in order to meet the demand for multi-function and high added value.
  • functional safety standards for functionally ensuring the safety of products have been formulated in various fields due to the increasing safety orientation of users.
  • a functional safety standard ISO26262 for automobiles was formulated in November 2011, and in product development, it is required to comply with a standard that does not involve an increase in cost.
  • H / WS / W interface verification that is performed in the unit test of the control S / W, all conditions that occur rarely during actual machine operation after the test are assumed, and tests that correspond to all conditions must be performed without exception. Is required. Specifically, it is required to realize the following requirements. (1) In order to guarantee the verification result, the implementation code that is the program to be verified should not be modified as much as possible. (2) It should be possible to verify all variations of processing by parallel operation of H / W and S / W. (3) It must be possible to simulate the finite time operation of the implementation code. In general, it is difficult to imagine a situation in which the operation is continued for an infinite time without stopping the device, so that it is possible to simulate a finite time operation.
  • Patent Document 1 In the method of simulating the operation of the I / O device (for example, Patent Document 1), it is possible to simulate the finite time operation of the I / O device calculation and interrupt processing according to the operation condition of the I / O device set manually. Is possible.
  • implementation code analysis by model checking for example, Non-Patent Document 1
  • the implementation code can be verified without any variation in parallel operation in a finite time by converting the implementation code into a dedicated description of SMT (Satfiability Modulo Theories) format. .
  • the conventional software parallel operation verification technology has the following problems.
  • the present invention has been made in view of the above circumstances, and has as its main object to verify a verification target program under conditions that occur during actual machine operation without correcting the verification target program.
  • the program verification apparatus includes: A program verification device for verifying a verification target program including an interrupt setting process for performing settings related to an interrupt, Interrupt candidate timing that analyzes the verification target program and designates a plurality of timings at which an interrupt may occur when the verification target program is executed by a device that executes the verification target program as interrupt candidate timings, respectively A designated part; A program execution unit for executing the verification target program; When the program execution unit executes the verification target program, if the interrupt setting process is set to prohibit interrupt at the interrupt candidate timing, the interrupt setting process does not generate an interrupt at the interrupt candidate timing.
  • an interrupt candidate timing that is assumed to be appropriate to prohibit interrupts is selected as an interrupt prohibition assumption timing
  • the execution result of the verification target program is analyzed, and the interrupt prohibition assumption timing is selected.
  • a verification unit for determining whether or not the setting for prohibiting the interrupt has been performed by the interrupt setting process.
  • the verification target program is analyzed, the interrupt candidate timing at which an interrupt may occur when the verification target program is executed on the device is specified, and the interrupt is set according to the interrupt setting processing setting at the interrupt candidate timing. Adjust the occurrence. Therefore, for the interrupt control, the verification target program can be verified under the same conditions as when the actual machine is operating.
  • FIG. 3 is a diagram illustrating a configuration example of a simulator device according to the first embodiment. The figure which shows the relationship between the simulator apparatus which concerns on Embodiment 1, an installation code, and an I / O device simulation program.
  • FIG. 3 is a diagram showing an S / W architecture of an implementation code according to the first embodiment.
  • FIG. 4 is a flowchart showing an operation example of the simulator device according to the first embodiment.
  • FIG. 6 shows an example of a verification scenario generation procedure according to the first embodiment.
  • FIG. 4 is a diagram illustrating an example of interrupt points according to the first embodiment.
  • FIG. 4 shows an example of input sequence information according to the first embodiment.
  • FIG. 4 is a diagram illustrating an example of interrupt point information according to the first embodiment.
  • FIG. 6 is a diagram illustrating an example of scheduler setting according to the first embodiment.
  • FIG. 4 is a diagram showing an example of I / O device state information (interrupt) according to the first embodiment.
  • FIG. 4 is a diagram showing an example of I / O device state information (timer) according to the first embodiment.
  • FIG. 6 is a diagram illustrating an example of control operation count information (cooperation operation) according to the first embodiment.
  • FIG. 6 is a diagram showing an example of control operation count information (I / O operation) according to the first embodiment.
  • FIG. 6 is a diagram showing an example of control operation count information (interrupt operation) according to the first embodiment.
  • FIG. 5 is a diagram showing an example of control operation count information (timer operation) according to the first embodiment.
  • FIG. 3 is a diagram showing an example of a control signal access log according to the first embodiment.
  • FIG. 10 is a diagram illustrating an example of scheduler setting according to the second embodiment.
  • FIG. 10 is a diagram illustrating an example of control operation count information (interrupt operation) according to the third embodiment.
  • FIG. 4 is a diagram illustrating an example of control operation information according to the first embodiment.
  • FIG. 4 is a diagram illustrating a hardware configuration example of a simulator device according to the first to third embodiments.
  • Embodiment 1 FIG.
  • a simulator device that verifies processing variations by parallel operation of H / W and S / W without modifying the implementation code as the verification target program as much as possible will be described. More specifically, in the present embodiment, a simulator device that verifies a mounting code using an I / O device simulation program that simulates the operation of an I / O device in a unit test will be described.
  • the simulator device according to the present embodiment makes it possible to reduce the number of reworking steps after the S / W coupling test.
  • FIG. 2 shows the relationship between the simulator apparatus 100 according to the present embodiment, the implementation code 500 to be verified, and the I / O device simulation program 600 that simulates an I / O device.
  • the simulator device 100 corresponds to an example of a program verification device.
  • the implementation code 500 is a program in which an operation algorithm of the control device 200 is described.
  • the mounting code 500 is mounted on the control device 200 and executed by the control device 200 after a test including verification using the simulator device 100.
  • the mounting code 500 is a program to be verified by the simulator device 100, and corresponds to an example of the verification target program.
  • the control device 200 controls the sensor device 300 and the drive device 400 that are control targets.
  • the control device 200 includes an I / O port 204, an I / O port 205, an interrupt 206, and a timer 207 as hardware.
  • the control device 200 is equipped with a CPU (Central Processing Unit), hardware such as a microcomputer, and memory.
  • the control device 200 is connected to a control target such as the sensor device 300 or the drive device 400 via I / O ports 204 and 205 for transmitting and receiving digital signals or analog signals, and via the I / O ports 204 and 205.
  • the sensor device 300 and the driving device 400 are controlled.
  • FIG. 1 Central Processing Unit
  • the I / O device simulation program 600 is a program that simulates the sensor device 300, the drive device 400, the I / O port 204, the I / O port 205, the interrupt 206, and the timer 207.
  • the simulator apparatus 100 executes the mounting code 500 and the I / O device simulation program 600 to simulate the operation of the control device 200.
  • the S / W included in the mounting code 500 includes a control process A201, a control process B202, and a hardware driver 203.
  • the control process A201 and the control process B202 realize a control logic for applying physical control to the control target.
  • the hardware driver 203 is a program that mediates between the control process A 201 and the control process B 202 and the H / W (I / O port 204, I / O port 205, interrupt 206, timer 207).
  • the I / O process 2031 mediates register access to the I / O ports 204 and 205 of the control process A 201 and the control process B 202.
  • the interrupt process 2032 functions as a handler for occurrence of an interrupt from the H / W.
  • the timer process 2033 functions as a handler for occurrence of timeout from the H / W.
  • control device 200 and the device connected to the control device 200 shown in FIG. 2 are examples, and the scope of application of the present embodiment is not limited to the example of FIG.
  • the simulator apparatus 100 executes the mounting code 500 together with the I / O device simulation program 600 to verify the mounting code 500.
  • the simulator device 100 includes a scheduler 101, a verification scenario creation unit 102, a control monitoring unit 103, a verification item analysis unit 104, an interrupt simulation unit 105, and a timer simulation unit 106. Details of each element will be described later with reference to FIG.
  • the simulator device 100 mainly performs verification for interrupts and verification for the number of event occurrences.
  • the following outlines the verification of interrupts and the number of event occurrences. In the following, for the sake of convenience of explanation, the verification for the interrupt and the verification for the event occurrence count will be described separately. However, the simulator apparatus 100 performs the verification for the interrupt and the verification for the event occurrence count in parallel. Can do.
  • each control process or each process in the hardware driver is exclusively (interrupted) to a plurality of variables (a cooperation signal 251, an I / O port signal 252, a state variable 253, and a counter variable 254 described later).
  • a cooperation signal 251, an I / O port signal 252, a state variable 253, and a counter variable 254 described later There is an aspect that should be accessed continuously (without intervening).
  • the control process or each process in the hardware driver needs to prohibit the interrupt and access the plurality of variables.
  • the simulator device 100 verifies whether or not the control process A201 appropriately prohibits the interrupt at a timing when it is assumed that prohibiting such an interrupt is appropriate (referred to as an interrupt prohibition expected timing). To do.
  • control process and each process in the hardware driver are processes for accessing a variable, and correspond to an example of a variable access process.
  • control process and each process in the hardware driver are configured to permit interrupts (hereinafter also referred to as permission settings) and to prohibit interrupts (hereinafter also referred to as prohibition settings). It corresponds to an example.
  • the verification scenario creation unit 102 analyzes the mounting code 500.
  • the verification scenario creation unit 102 designates a plurality of timings (referred to as interrupt candidate timings or interrupt points) at which an interrupt may occur when the mounting code 500 is mounted on the control device 200 and executed by the control device 200. .
  • the scheduler 101 executes the implementation code 500 for verification.
  • the interrupt simulation unit 105 investigates whether the control process A201 is performing permission setting or prohibition setting.
  • the interrupt simulation unit 105 generates an interrupt if permission is set at the interrupt candidate timing. On the other hand, if the prohibition setting is performed at the interrupt candidate timing, the interrupt simulation unit 105 does not generate an interrupt.
  • the verification item analysis unit 104 determines, from among a plurality of interrupt candidate timings, an interrupt candidate timing that is expected to be appropriate to prohibit an interrupt (the user determines whether the prohibition setting by the control process is appropriate). Interrupt candidate timing that is considered desirable to be received) is selected as the interrupt prohibition assumption timing, and based on the execution result of the implementation code 500, whether or not the control process A201 appropriately prohibits the interrupt at the interrupt prohibition assumption timing is determined. Validate.
  • the simulator device 100 verifies whether the number of occurrences of two or more related events is appropriate.
  • the simulator device 100 stores two or more related events among a plurality of events generated by the execution of the implementation code 500 as related events and stores them in association with each other.
  • the related event is two or more events having a causal relationship such as a request event and a response event.
  • the simulator device 100 stores the relationship of the number of occurrences between related events when the mounting code 500 is appropriate. For example, it is assumed that the simulator device 100 stores event A and event B in association with each other as related events. In this case, the simulator device 100 stores, for example, a relationship that the number of occurrences of the event A is equal to the number of occurrences of the event B as the relationship of the number of occurrences of related events.
  • the scheduler 101 executes the implementation code 500, and the control monitoring unit 103 counts the number of occurrences of events that occur due to the execution of the implementation code 500. Then, after the execution of the mounting code 500 is completed, the verification item analysis unit 104 verifies whether or not the number of occurrences of the related event is appropriate.
  • the control monitoring unit 103 counts the number of occurrences of the event A and the number of occurrences of the event B, and the verification item analysis unit 104 determines whether the counted number of occurrences of the event A is equal to the number of occurrences of the event B. Verify whether or not.
  • FIG. 3 shows the S / W architecture of the implementation code 500.
  • the scheduler 101 periodically activates each process in the control process A 201, the control process B 202, and the hardware driver 203. Data is transmitted and received between these processes via a shared variable called a control signal, and a control operation is executed.
  • a control signal a shared variable
  • FIG. 3 shows the relationship between the processing and the signal shown in FIG. 3 is an exemplification, and the application range of the present embodiment is not limited to the example of FIG. The control operation and the control signal will be described below.
  • the control operation includes a cooperative operation between control processes, an I / O operation performed on the hardware driver from the control process, an interrupt operation, and a timer operation.
  • the cooperative operation includes a request operation in which a certain control process (for example, control process A201) requests a predetermined calculation from another control process (for example, control process B202), and a control process in which the calculation is requested (for example, control process B202).
  • a response operation of responding to the calculation result is included in the control process (for example, control process A201) of the request source.
  • the I / O operation includes an operation in which the control process reads data from the I / O device and an operation in which the control process writes data to the I / O device.
  • the interrupt operation includes an operation in which the control process sets interrupt permission and an operation in which the control process sets interrupt prohibition.
  • the timer operation includes an operation in which the control process notifies the timer start, an operation in which the control process notifies the timer end, and an operation in which the control process receives a timeout notification.
  • the control signal includes a cooperation signal 251 transmitted / received between the control processes and an I / O signal transmitted / received between the control process and the hardware driver.
  • the I / O signal includes an I / O port signal 252 for information transmission between the control processing and the I / O processing 2031, a state variable 253 for information transmission between the control processing and the interrupt processing 2032, A counter signal 254 for information transmission between the control process and the timer process 2033 is included. Note that a signal not shown in FIG. 3 may be added as the I / O signal.
  • the simulator device 100 manages a request operation and a response operation in a cooperative operation as related events.
  • the simulator device 100 also manages, for example, an I / O read operation and an I / O write operation in an I / O operation as related events.
  • the simulator device 100 also manages, for example, an interrupt permission setting operation and an interrupt prohibition setting operation in an interrupt operation as related events.
  • the simulator device 100 manages, for example, an operation for notifying a timer start in a timer operation, an operation for receiving a timer end notification, and an operation for receiving a timeout notification as related events.
  • the hardware driver 203 controls the I / O processing 2031, the interrupt processing 2032, and the timer processing 2033 in order to process I / O port register access, H / W interrupt generation, and H / W timeout generation. Operates in parallel with processing.
  • the scheduler 101 manages execution of control processing A 201, control processing B 202, I / O processing 2031, interrupt processing 2032, and timer processing 2033. For example, if the execution priority of the hardware driver 203 is higher than that of the control process, the scheduler 101 interrupts the execution of the control process and starts the execution of the hardware driver 203, and after the execution of the hardware driver 203 ends. Resume execution of control processing.
  • the control process and the hardware driver 203 change the contents of each process based on the value of the control signal.
  • the verification scenario creation unit 102 reads the implementation code 500 from the program storage unit 108, reads the cooperation variable from the cooperation variable storage unit 107, analyzes the implementation code 500 and the cooperation variable, and creates a verification scenario.
  • the verification scenario includes input sequence information and interrupt point information.
  • the input sequence information is information indicating a transition of an input value input to the mounting code 500.
  • the input sequence information is, for example, information shown in FIG.
  • the interrupt point information is information indicating an interrupt point.
  • the interrupt point information is, for example, information shown in FIG. Details of the input sequence information and the interrupt point information will be described later.
  • the verification scenario generated by the verification scenario creation unit 102 is stored in the verification scenario storage unit 110.
  • the verification scenario creation unit 102 corresponds to an example of an interrupt candidate timing designation unit.
  • the implementation code execution unit 1011 reads the implementation code 500 from the program storage unit 108, reads the scheduler setting from the scheduler setting storage unit 109, and executes the implementation code 500 according to the scheduler setting.
  • the scheduler setting is information indicating the activation code and the activation sequence of the implementation code 500 and the I / O device simulation program 600.
  • the scheduler setting is, for example, information shown in FIG. Details of the scheduler setting will be described later.
  • the implementation code execution unit 1011 corresponds to an example of a program execution unit.
  • the I / O device simulation program execution unit 1012 reads the I / O device simulation program 600 from the program storage unit 108, reads the verification scenario from the verification scenario storage unit 110, and reads the scheduler setting from the scheduler setting storage unit 109. Then, the I / O device simulation program execution unit 1012 executes the I / O device simulation program 600 according to the verification scenario and the scheduler setting. The I / O device simulation program execution unit 1012 also uses the timer notification from the timer simulation unit 106 when executing the I / O device simulation program 600. Also, the I / O device simulation program execution unit 1012 simulates the interrupt 206 based on the H / W interrupt from the interrupt simulation unit 105 and requests an interrupt to the interrupt processing 2032 in the hardware driver 203. The I / O device simulation program execution unit 1012 corresponds to an example of a program execution unit, and also corresponds to an example of an interrupt generation unit.
  • the implementation code execution unit 1011 and the I / O device simulation program execution unit 1012 are details of the scheduler 101 shown in FIG.
  • the interrupt simulation unit 105 reads the verification scenario from the verification scenario storage unit 110 and reads I / O device state information (interrupt) from the I / O device state storage unit 111.
  • the interrupt simulation unit 105 simulates the operation of the H / W interrupt according to the verification scenario and the I / O device status information (interrupt).
  • the I / O device status information (interrupt) indicates whether interrupt is permitted or interrupt is prohibited.
  • the I / O device status information (interrupt) is information shown in FIG. 10, for example.
  • the interrupt simulation unit 105 refers to the I / O device status information (interrupt) when the interrupt point indicated in the verification scenario arrives, and if the interrupt is permitted, the interrupt simulation unit 105 sends the H / W interrupt to the I / O device.
  • the simulation program execution unit 1012 is notified. Details of the I / O device status information (interrupt) will be described later.
  • the interrupt simulation unit 105 corresponds to an example of an interrupt generation unit.
  • the timer simulation unit 106 reads I / O device state information (timer) from the I / O device state storage unit 111 and simulates the operation of the H / W timer according to the I / O device state information (timer).
  • the I / O device status information (timer) shows details of timer setting.
  • the I / O device status information (timer) is information shown in FIG. Details of the I / O device status information (timer) will be described later.
  • the control monitoring unit 103 reads the control operation information from the control operation information storage unit 115, and counts the number of control operations, which is the number of event occurrences, according to the control operation information during the execution of the mounting code 500. Further, the control monitoring unit 103 monitors the access status to the control signal (variable) by the control process A 201 or the like during the execution of the mounting code 500. Furthermore, the control monitoring unit 103 records the number of control operations in the control operation number storage unit 112 and records the variable access status in the control signal access log storage unit 113 as a control signal access log. The number of control operations is recorded in the control operation number storage unit 112, for example, in the format shown in FIGS.
  • the control signal access log is information shown in FIG. 16, for example. In the control operation information, a related operation that is a related event is shown, and a condition about the relationship of the number of occurrences between related operations is shown.
  • the control operation information is, for example, information shown in FIG.
  • FIG. 19 shows a related operation in the cooperative operation between the control process A201 and the control process B202.
  • a cooperative operation X and a cooperative operation Y with different types of computation are shown.
  • the request operation from the control process A201 and the response operation from the control process B202 are defined as related operations.
  • the request operation from the control process B202 and the response operation from the control process A201 are related operations.
  • the relational condition is “ ⁇ 0”, and the condition is that the number of occurrences of the requested operation is equal to the number of occurrences of the response operation.
  • the relationship condition defines the relationship of the number of occurrences between related operations when the mounting code 500 is appropriate.
  • the number of occurrences of the requested operation and the response operation It is defined that the number of occurrences is equal.
  • the same contents as in FIG. 19 are defined in the control operation information for the I / O operation, the interrupt operation, and the timer operation.
  • the condition is that the number of occurrences of the requested operation is equal to the number of occurrences of the response operation, but other conditions may be defined.
  • a condition that the mounting code 500 determines that it is appropriate if [number of requested operations] ⁇ [number of response operations] may be defined.
  • the control monitoring unit 103 corresponds to an example of a counting unit.
  • the control operation information corresponds to an example of related event information.
  • the control operation information storage unit 115 corresponds to an example of a related event information storage unit.
  • the verification item analysis unit 104 reads the number of control operations from the control operation number storage unit 112, and verifies whether the number of control operations matches the relation condition indicated in the control operation information. Further, the verification item analysis unit 104 reads the control signal access log from the control signal access log storage unit 113. Then, the verification item analysis unit 104 analyzes the access status to the control signal (variable) by the control process A201 and the like, and verifies whether or not the interrupt is appropriately prohibited at the interrupt prohibition assumed timing. The verification item analysis unit 104 creates a verification report indicating the verification result, and stores the created verification report in the verification report storage unit 114.
  • the verification item analysis unit 104 corresponds to an example of a verification unit.
  • the input of the flowchart of FIG. 4 is information for identifying the mounting code 500 and the linkage variable.
  • the output of the flowchart of FIG. 4 is a verification report that is a result of verification of the execution result of the mounting code 500 by the verification item analysis unit 104.
  • the I / O device simulation program 600 needs to be executed in a short cycle different from the mounting code 500.
  • each step of the flowchart of FIG. 4 will be described in order, but each step is not executed in the description order.
  • Each step from the execution of the mounting code 500 (S102) to the execution of the interrupt process (S106) is sequentially executed, and each step from the execution of the I / O device simulation program 600 (S107) to the execution of the timer process (S109) is performed. These two flows are executed in parallel.
  • the verification scenario creation unit 102 analyzes the mounting code 500 and the linkage variable, and creates a verification scenario (S101).
  • the verification scenario includes input sequence information and interrupt point information.
  • the input sequence information is information in which input values to be given to the mounting code 500 via the hardware driver 203 are arranged in time series.
  • the interrupt point information is information for designating a timing (interrupt point) for simulating the occurrence of an interrupt at H / W.
  • the verification scenario creation unit 102 inputs, for example, an existing method based on an input product for creating an implementation code 500 such as a customer specification, a control specification, and a function specification. Create sequence information.
  • the verification scenario creation unit 102 uses, for example, an existing method for input sequence information based on the coverage standard of the implementation code 500 (for example, C0, C1, C2, MC / DC (Modified Condition / Decision Coverage)). You may create it. Or you may create combining these two methods.
  • the verification scenario creating unit 102 accesses the same control signal (variable) in a plurality of processes (multiple control processes, control processes and processes in the hardware driver) in the implementation code 500.
  • a control signal (variable) accessed by a plurality of processes is extracted as a competition control signal (competition variable).
  • the verification scenario creation unit 102 designates before and after access to the contention control signal as interrupt points.
  • FIG. 6 illustrates contention control signals and interrupt points.
  • the control process A 201 and the interrupt process 2032 access the state variables 1 to 3, and the timer process 2033 accesses the state variable 3.
  • the state variables 1 to 3 are accessed by a plurality of processes, and the verification scenario creating unit 102 extracts the state variables 1 to 3 as the competition control signal. Then, the verification scenario creation unit 102 designates the timing before and after the access to each state variable as an interrupt point. In the example of FIG. 6, the verification scenario creation unit 102 designates four timings as interrupt points.
  • FIG. 7 shows an example of input sequence information.
  • the input variables of the implementation code 500 are i and j, and the values assigned to the input variables i and j are shown in time series.
  • Each row in FIG. 7 shows a pattern of input values in one test.
  • the simulator device 100 since the simulator device 100 simulates a finite time operation, the maximum number of steps is specified in the input sequence information. The maximum number of steps is the maximum value of the number of activations, that is, the number of activations for determining the operation end point.
  • FIG. 8 shows an example of the interrupt point information.
  • FIG. 8 shows interrupt point information corresponding to the example of FIG. As described above, the timing before and after the access to the state variables 1 to 3 is an interrupt point.
  • the simulator device 100 performs the test for the number of rows in FIG. That is, if the input sequence information is composed of n rows, the interrupt simulation unit 105 repeats the execution of the implementation code 500 n times using the input value pattern of each row of the input sequence information. Then, the interrupt simulation unit 105 generates an H / W interrupt if the interrupt is not prohibited at the interrupt point shown in FIG.
  • the I / O device simulation program execution unit 1012 reads the input value of the corresponding step from the input sequence information of the verification scenario and sets it as the input variable of the implementation code 500. To do.
  • the scheduler settings are shown in FIG.
  • FIG. 9 shows scheduler settings when two types of I / O device simulation programs 600 are executed in the simulator apparatus 100, two types of I / O processing 2031 are executed, and two types of control processing are executed. Yes.
  • the activation order represents an execution priority when there are a plurality of processes having the same activation cycle. The process with the activation order “1” is executed with priority.
  • the mounting code execution unit 1011 In the execution of the mounting code 500 (S102), the mounting code execution unit 1011 reads the input value, reads / writes each control signal, and executes the control operation in accordance with the control logic described in the mounting code 500. Write the output value that is the result of the operation to the output variable.
  • permission of interrupt or prohibition of interrupt is set by the control process. Specifically, permission of interrupt or prohibition of interrupt is set in the I / O device status information (interrupt) in the I / O device status storage unit 111.
  • FIG. 10 shows an example of I / O device status information (interrupt).
  • FIG. 10 shows I / O device state information (interrupt) when two interrupts 206 of X and Y are arranged. Further, when timer start or timer end occurs in the control process, information for timer management is described in I / O device status information (timer) in the I / O device status storage unit 111.
  • FIG. 11 shows an example of I / O device status information (timer).
  • FIG. 11 shows I / O device state information (timer) when two timers 207 of X and Y are arranged.
  • the timer type is one-shot (the timer is automatically terminated when it times out once) or continues (timeout occurs repeatedly until the timer is terminated), or the timer status is started or End is set.
  • a timer value and a counter are also set.
  • the control monitoring unit 103 monitors the control operation and control signal access during the execution of the implementation code 500 (S102) (S103). When the control monitoring unit 103 detects a control operation, the control monitoring unit 103 increments the number of control operations of the corresponding control operation (S104). If the control monitoring unit 103 detects a control signal access, the control monitoring unit 103 adds the control signal name, the access type, and the access value to the control signal access log in order of time (S105).
  • FIG. 12 is control operation number information (cooperation operation) indicating the number of control operations in the cooperation operation.
  • FIG. 13 is control operation number information (I / O operation) indicating the number of control operations in the I / O operation.
  • FIG. 14 is control operation count information (interrupt operation) indicating the number of control operations in the interrupt operation.
  • FIG. 15 is control operation number information (timer operation) indicating the number of control operations in the timer operation.
  • the control operation count information (cooperation operation) and the control operation count information (I / O operation) two control operations whose “relationship condition” is “YES” are related operations. That is, two control operations whose “relationship condition” is “YES” are defined as related operations in the control operation information of FIG.
  • a pair of control operations described in the same line is a related operation.
  • FIG. 16 shows a control signal access log.
  • “process name”, “control signal name”, “access type”, and “access value” are described.
  • the “Process Name” column the name of the process that has accessed the control signal is described.
  • the “control signal name” column the name of the control signal to be accessed is described.
  • the “access type” column the type of access performed is described.
  • the “access value” column a value read from the control signal or written to the control signal is described.
  • the interrupt simulation unit 105 refers to the I / O device status information (interrupt) in FIG. 10 at the interrupt point shown in FIG. 8, and generates an H / W interrupt when the interrupt status is “permitted”. (S106).
  • the I / O device simulation program execution unit 1012 simulates the I / O port 205 and generates an interrupt to the interrupt processing 2032 of the implementation code 500.
  • the interrupt process 2032 accesses a target control signal (for example, state variable 1).
  • a target control signal for example, state variable 1
  • the interrupt simulation unit 105 does not generate an H / W interrupt.
  • timer simulation unit 106 refers to the I / O device state information (timer) in FIG. 11 and counts up the corresponding timer when the timer state is “start” (S108). When the counter reaches the timer value or more and the timer expires, the implementation code execution unit 1011 executes the corresponding timer process 2033.
  • the verification item analysis unit 104 verifies the number of control investigations and the control signal access log, and creates a verification report. (S110).
  • the verification item analysis unit 104 refers to the control operation number information in FIGS. 12 to 15 and determines that the number of control operations is appropriate if the number of occurrences between related operations is balanced. A method for determining each control operation is shown below.
  • Number of occurrences of "request operation” number of occurrences of “response operation” (when the relation condition is YES)
  • Number of occurrences of “I / O read” number of occurrences of “I / O write” (when the relational condition is YES)
  • Number of occurrences of "Allow interrupt” Number of occurrences of "Interrupt prohibited”
  • Number of occurrences of "Timer start” Number of occurrences of "Timer end” + Number of occurrences of "Timeout” (in case of one shot)
  • Number of occurrences of "Timer start” Number of occurrences of "Timer end” (if continued) 12 to 15, the verification item analysis unit 104 determines that the cooperative operation X of the control process A is appropriate
  • the verification item analysis unit 104 refers to the control signal access log in FIG. 16, and access to the contention control signal by other processing is not mixed between access to the contention control signal by the control processing A or the like. Judge that interrupt control is appropriate. In the example of FIG. 16, the verification item analysis unit 104 pays attention to the state variable 1, the state variable 2, and the state variable 3 that are competition control signals. In the example of FIG. 16, the access from the interrupt process to the state variable 1 (No. 3) is mixed between the access from the control process A to these state variables (No. 2, No. 4, No. 5). Therefore, the verification item analysis unit 104 determines that the interrupt has not been properly prohibited at the expected interrupt prohibition timing.
  • the verification item analysis unit 104 selects the timing between the access from the control process A to the state variable 1, the state variable 2, and the state variable 3 among the plurality of interrupt candidate timings as the interrupt prohibition assumption timing, It is checked whether or not any of the state variable 1, the state variable 2, and the state variable 3 has been accessed from another process at the assumed timing. Then, the verification item analysis unit 104 determines that the interrupt is not properly prohibited if any of the state variable 1, the state variable 2, and the state variable 3 is accessed from other processing at the interrupt prohibition assumption timing. To do.
  • the verification item analysis unit 104 determines whether or not the access value indicated in the control signal access log is correct in view of an input product for creating the implementation code 500 such as a customer specification, control specification, and function specification. Judging.
  • the verification item analysis unit 104 outputs a verification report.
  • the verification report at least items (control operation count, interrupt control) that are not determined to be appropriate by the verification item analysis unit 104 are described.
  • the user of the simulator device 100 uses the verification report generated by the simulator device 100 to check the operation of the mounted code with a microcomputer emulator that has acquired ISO 26262 certification. In this way, the mounting code can be easily adapted to the ISO26262 standard.
  • Detecting defects related to the H / W-S / W interface by unit testing can reduce the number of reworking steps after the S / W coupling test.
  • Embodiment 2 the method of verifying the mounting code 500 by constantly operating the control process to be verified has been described. In the present embodiment, a method for verifying the implementation code 500 by dynamically generating or deleting a control process to be verified will be described.
  • the scheduler setting of FIG. 17 is used instead of the scheduler setting of FIG.
  • the scheduler setting of FIG. 17 compared with the scheduler setting of FIG. 9, columns of an activation trigger and an activation state are added.
  • An event for starting or ending the control process is shown in the start trigger column.
  • a cooperation signal, an I / O port, a state variable, and a counter are described.
  • the control process C starts its operation when an event for inputting a predetermined cooperation signal 251 occurs, for example.
  • the mounted code execution unit 1011 periodically executes the control process and the hardware driver 203 whose activation state is “always”. When a state that matches a start trigger of a certain control process occurs, if the start state is “start”, the implementation code execution unit 1011 starts the periodic execution of the control process. Further, when a state that matches a start trigger of a certain control process occurs, if the start state is “end”, the mounted code execution unit 1011 ends the periodic execution of the control process.
  • a start trigger is set in advance in the scheduler setting, and when a state that matches the start trigger occurs during execution of the implementation code, the corresponding control process is dynamically generated, and the corresponding A software parallel operation verification device that terminates the control processing to be performed has been described.
  • Embodiment 3 In the first embodiment, the method of verifying the number of control operations for each control process has been described. In the present embodiment, a method for verifying the number of control operations in units of groups in which a plurality of control processes are combined will be described. That is, in this embodiment, the verification item analysis unit 104 verifies whether the relationship between the number of control operations is appropriate across a plurality of control processes.
  • the simulator device 100 creates a group of control processes, and determines that the number is appropriate if the number of requested operations and the number of response operations are equal in the group.
  • the interrupt simulation unit 105 counts the number of control operations in units of control processing, but the verification by the verification item analysis unit 104 is performed in units of control processing.
  • the control operation frequency information shown in FIG. 18 is used. In FIG.
  • a “group name” column is added to the control operation count information (interrupt operation) in FIG. 14. That is, in the example of FIG. 18, the control process A and the control process B are grouped. In FIG. 18, only the control operation count information (interrupt operation) is shown, but the control operation count information (cooperation operation), the control operation count information (I / O operation), and the control operation count information (timer operation) are also similar. Add information.
  • the software parallel operation verification device that verifies whether the number of the plurality of control operations corresponds correctly in a group unit in which the plurality of control processes are collected has been described.
  • the simulator device 100 is a computer, and each element of the simulator device 100 can be realized by a program.
  • an arithmetic device 901, an external storage device 902, a main storage device 903, a communication device 904, and an input / output device 905 are connected to the bus.
  • the arithmetic device 901 is a CPU that executes a program.
  • the external storage device 902 is, for example, a ROM (Read Only Memory), a flash memory, or a hard disk device.
  • the main storage device 903 is a RAM (Random Access Memory). 1 is implemented by the external storage device 902 or the main storage device 903.
  • the communication device 904 is, for example, a NIC (Network Interface Card).
  • the input / output device 905 is, for example, a mouse, a keyboard, or a display device.
  • the program is normally stored in the external storage device 902, and is loaded into the main storage device 903 and sequentially read into the arithmetic device 901 and executed.
  • the program is a program that realizes the functions described as “ ⁇ unit” (excluding “ ⁇ storage unit” shown in FIG. 1; the same applies hereinafter).
  • an operating system (OS) is also stored in the external storage device 902. At least a part of the OS is loaded into the main storage device 903, and the arithmetic device 901 executes “OS” shown in FIG. ”Is executed.
  • Information, data, signal values, and variable values indicating the results of processing are stored in the main storage device 903 as files.
  • the encryption key / decryption key, random number value, and parameter may be stored in the main storage device 903 as a file.
  • FIG. 20 is merely an example of the hardware configuration of the simulator device 100, and the hardware configuration of the simulator device 100 is not limited to the configuration illustrated in FIG. 20, but may be other configurations. .
  • program verification method according to the present invention can be realized by the procedure shown in the first to third embodiments.
  • 100 simulator device 101 scheduler, 102 verification scenario creation unit, 103 control monitoring unit, 104 verification item analysis unit, 105 interrupt simulation unit, 106 timer simulation unit, 107 linked variable storage unit, 108 program storage unit, 109 scheduler setting storage unit , 110 Verification scenario storage unit, 111 I / O device state storage unit, 112 Control operation count storage unit, 113 Control signal access log storage unit, 114 Verification report storage unit, 115 Control operation information storage unit, 1011 Implementation code execution unit, 1012 I / O device simulation program execution unit, 200 control device, 201 control process A, 202 control process B, 203 hardware driver, 204 I / O port, 205 I / O port, 206 interrupt, 207 timer 2031 I / O processing, 2032 interrupt processing, 2033 timer processing, 251 linkage signal, 252 I / O port signal, 253 status variable, 254 counter signal, 300 sensor device, 400 driving device, 500 mounting code, 600 I / O device Mock program.

Abstract

A verification scenario creation unit (102) analyzes an implementation code which is a program to be verified, and designates, as interruption points, a plurality of timings at which there is a possibility that interruption may occur when the implementation code is executed. An implementation code execution unit (1011) executes the implementation code. An interruption simulation unit (105) does not cause interruption at the interruption point if a setting has been made to prohibit interruption at said interruption point at the time of executing the implementation code, and causes interruption at the interruption point if a setting has been made to permit interruption at said interruption point. A verification item analysis unit (104) analyzes the result of executing the implementation code and determines whether or not a setting to prohibit interruption was made properly at timings, among said plurality of interruption points, at which interruption is to be prohibited.

Description

プログラム検証装置及びプログラム検証方法及びプログラムProgram verification apparatus, program verification method, and program
 本発明は、プログラム(以下、ソフトウェアともいう)を検証する技術に関する。 The present invention relates to a technique for verifying a program (hereinafter also referred to as software).
 組込みソフトウェア(以下、S/Wとも表記する)の一種である制御S/Wは、多機能化・高付加価値化の要望に応えるために、大規模化・複雑化が急速に進んでいる。
 また、ユーザの安全志向の高まりにより、製品の安全性を機能的に担保するための機能安全規格が様々な分野で策定されている。
 一例として、自動車向けの機能安全規格ISO26262が2011年11月に策定され、製品開発において、コストアップを伴わない規格への対応が要求されている。 Control S / W, which is a kind of embedded software (hereinafter also referred to as S / W), is rapidly increasing in scale and complexity in order to meet the demand for multi-function and high added value.
Moreover, functional safety standards for functionally ensuring the safety of products have been formulated in various fields due to the increasing safety orientation of users.
As an example, a functional safety standard ISO26262 for automobiles was formulated in November 2011, and in product development, it is required to comply with a standard that does not involve an increase in cost.
 ISO26262では、ハードウェア(以下、H/Wとも表記する)のランダム故障だけではなくS/Wの系統故障のリスクの増加に対応すべく、安全性を達成するための開発プロセスと作業項目、各作業項目の成果物と推奨技法を規定している。 In ISO 26262, the development process and work items for achieving safety in order to cope with an increase in the risk of not only random failure of hardware (hereinafter also referred to as H / W) but also of S / W system failure, Specifies work item deliverables and recommended techniques.
 ISO26262に適合させながら製品を開発するためには、安全要求を実現するのに必要十分な作業項目と推奨技法を取捨選択して成果物を作成し、ISO26262認証を取得している各種ツールを活用して成果物の妥当性を検証することが、品質・コスト面から必要である。 In order to develop products while conforming to ISO 26262, work items and recommended techniques that are necessary and sufficient to realize safety requirements are selected and products are created, and various tools that have obtained ISO 26262 certification are used. Therefore, it is necessary from the viewpoint of quality and cost to verify the validity of the deliverables.
 また、近年の制御S/Wの開発プロジェクトでは、多機能化・高付加価値化の要望に応えるために、制御S/Wが制御対象とするI/O(Input/Output)デバイスの点数及び種類が増加している。
 I/Oデバイスの点数及び種類の増加により、処理順序や実行タイミングの全てを網羅した試験を行うことが困難になっている。
 このため、S/W結合試験以降の実機動作時(制御S/Wが制御機器に実装されて実行される際)に、試験では想定されなかった特殊な条件下で制御S/Wが実行され、H/W-S/Wインタフェースに関する不具合が発生することが問題になっている。 Also, in recent control S / W development projects, the number and types of I / O (Input / Output) devices to be controlled by the control S / W in order to meet the demand for higher functionality and higher added value. Has increased.
Due to the increase in the number and types of I / O devices, it is difficult to perform a test that covers all the processing order and execution timing.
For this reason, during actual machine operation after the S / W coupling test (when the control S / W is mounted on a control device and executed), the control S / W is executed under special conditions not assumed in the test. A problem with the H / W-S / W interface is a problem.
 制御S/Wの単体試験で実施するH/W-S/Wインタフェース検証では、試験後の実機動作時にまれにしか起こらない条件を全て想定し、全ての条件に対応させた試験をもれなく行うことが要求される。
 具体的には、以下の要求事項を実現することが求められる。
(1)検証結果を保証するため、可能な限り、検証対象のプログラムである実装コードを修正しないこと。
(2)H/WとS/Wの並行動作による処理のバリエーションをもれなく検証可能なこと。
(3)実装コードの有限時間動作を模擬可能なこと。
 一般に、機器を止めずに無限時間動作を続ける状況は考えにくいため、有限時間動作の模擬でよい。 In the H / WS / W interface verification that is performed in the unit test of the control S / W, all conditions that occur rarely during actual machine operation after the test are assumed, and tests that correspond to all conditions must be performed without exception. Is required.
Specifically, it is required to realize the following requirements.
(1) In order to guarantee the verification result, the implementation code that is the program to be verified should not be modified as much as possible.
(2) It should be possible to verify all variations of processing by parallel operation of H / W and S / W.
(3) It must be possible to simulate the finite time operation of the implementation code.
In general, it is difficult to imagine a situation in which the operation is continued for an infinite time without stopping the device, so that it is possible to simulate a finite time operation.
 H/W-S/Wインタフェース検証のための従来のソフトウェア並行動作検証技術としては、I/Oデバイスの動作を模擬する方法(例えば特許文献1)と、モデル検査による実装コード解析(例えば非特許文献1)とが用いられることが多い。 As a conventional software parallel operation verification technique for H / W-S / W interface verification, a method for simulating the operation of an I / O device (for example, Patent Document 1) and an implementation code analysis by model checking (for example, non-patent) Document 1) is often used.
 I/Oデバイスの動作を模擬する方法(例えば特許文献1)では、手作業で設定したI/Oデバイスの動作条件に従って、I/Oデバイスの演算と割込み処理の有限時間動作を模擬することが可能である。
 また、モデル検査による実装コード解析(例えば非特許文献1)では、実装コードをSMT(Satisfiability Modulo Theories)形式という専用記述に変換することで、有限時間での並行動作のバリエーションをもれなく検証可能である。 In the method of simulating the operation of the I / O device (for example, Patent Document 1), it is possible to simulate the finite time operation of the I / O device calculation and interrupt processing according to the operation condition of the I / O device set manually. Is possible.
In addition, in the implementation code analysis by model checking (for example, Non-Patent Document 1), the implementation code can be verified without any variation in parallel operation in a finite time by converting the implementation code into a dedicated description of SMT (Satfiability Modulo Theories) format. .
特開2007-233675号公報JP 2007-233675 A
 従来のソフトウェア並行動作検証技術には以下に示す課題がある。 The conventional software parallel operation verification technology has the following problems.
 I/Oデバイスの動作を模擬する方法では、実装コードを修正せずに有限時間動作を検証可能である(要求事項(1)および(3)を達成可能)。
 しかし、試験実施者が手作業により検証の条件を設定すると、試験実施者が想定する条件内での試験しかできず、H/WとS/Wの並行動作による処理のバリエーションをもれなく検証できるとは限らない(要求事項(2)を達成できない)。 In the method of simulating the operation of the I / O device, it is possible to verify the finite time operation without modifying the mounting code (requirements (1) and (3) can be achieved).
However, when the tester manually sets the verification conditions, the tester can only perform tests within the conditions assumed by the tester, and can verify all the variations of the process due to the parallel operation of H / W and S / W. There is no limit (Requirement (2) cannot be achieved).
 モデル検査による実装コード解析では、H/WとS/Wの並行動作による処理のバリエーションを検証可能である(要求事項(2)および(3)を達成可能)。
 しかし、実装コードと専用記述とが一致していることの保証が困難であり、実装コードと専用記述との間の一致性を保証するための追加工数が発生してしまう(要求事項(1)を達成できない)。 In the implementation code analysis by model checking, it is possible to verify processing variations due to parallel operations of H / W and S / W (requirements (2) and (3) can be achieved).
However, it is difficult to guarantee that the implementation code matches the dedicated description, and additional man-hours are generated to guarantee the consistency between the implementation code and the dedicated description (Requirement (1)). Cannot be achieved).
 この発明は、上記のような事情に鑑みたものであり、検証対象プログラムを修正することなく、実機動作時に発生する条件にて検証対象プログラムの検証を行うことを主な目的とする。 The present invention has been made in view of the above circumstances, and has as its main object to verify a verification target program under conditions that occur during actual machine operation without correcting the verification target program.
 本発明に係るプログラム検証装置は、
 割込みに関する設定を行う割込み設定処理が含まれる検証対象プログラムを検証するプログラム検証装置であって、
 前記検証対象プログラムを解析し、前記検証対象プログラムを実行する機器にて前記検証対象プログラムが実行された際に割込みが発生する可能性がある複数のタイミングをそれぞれ割込み候補タイミングとして指定する割込み候補タイミング指定部と、
 前記検証対象プログラムを実行するプログラム実行部と、
 前記プログラム実行部による前記検証対象プログラムの実行時に、前記割込み設定処理により前記割込み候補タイミングに割込みを禁止する設定が行われていれば、前記割込み候補タイミングに割込みを発生させず、前記割込み設定処理により前記割込み候補タイミングに割込みを許可する設定が行われていれば、前記割込み候補タイミングに割込みを発生させる割込み発生部と、
 前記複数の割込み候補タイミングのうち、割込みを禁止することが適正であると想定される割込み候補タイミングを割込み禁止想定タイミングとして選択し、前記検証対象プログラムの実行結果を解析し、前記割込み禁止想定タイミングに前記割込み設定処理により割込みを禁止する設定が行われたか否かを判断する検証部とを有することを特徴とする。 The program verification apparatus according to the present invention includes:
A program verification device for verifying a verification target program including an interrupt setting process for performing settings related to an interrupt,
Interrupt candidate timing that analyzes the verification target program and designates a plurality of timings at which an interrupt may occur when the verification target program is executed by a device that executes the verification target program as interrupt candidate timings, respectively A designated part;
A program execution unit for executing the verification target program;
When the program execution unit executes the verification target program, if the interrupt setting process is set to prohibit interrupt at the interrupt candidate timing, the interrupt setting process does not generate an interrupt at the interrupt candidate timing. If the setting for permitting an interrupt at the interrupt candidate timing is performed by the interrupt generation unit that generates an interrupt at the interrupt candidate timing,
Among the plurality of interrupt candidate timings, an interrupt candidate timing that is assumed to be appropriate to prohibit interrupts is selected as an interrupt prohibition assumption timing, the execution result of the verification target program is analyzed, and the interrupt prohibition assumption timing is selected. And a verification unit for determining whether or not the setting for prohibiting the interrupt has been performed by the interrupt setting process.
 本発明では、検証対象プログラムを解析し、検証対象プログラムが機器で実行される際に割込みが発生する可能性がある割込み候補タイミングを指定し、割込み候補タイミングでの割込み設定処理の設定に従って割込みの発生有無を調整する。
 このため、割込み制御について、実機動作時と同じ条件で検証対象プログラムの検証を行うことができる。 In the present invention, the verification target program is analyzed, the interrupt candidate timing at which an interrupt may occur when the verification target program is executed on the device is specified, and the interrupt is set according to the interrupt setting processing setting at the interrupt candidate timing. Adjust the occurrence.
Therefore, for the interrupt control, the verification target program can be verified under the same conditions as when the actual machine is operating.
実施の形態1に係るシミュレータ装置の構成例を示す図。FIG. 3 is a diagram illustrating a configuration example of a simulator device according to the first embodiment. 実施の形態1に係るシミュレータ装置と実装コードとI/Oデバイス模擬プログラムとの関係を示す図。The figure which shows the relationship between the simulator apparatus which concerns on Embodiment 1, an installation code, and an I / O device simulation program. 実施の形態1に係る実装コードのS/Wアーキテクチャを示す図。FIG. 3 is a diagram showing an S / W architecture of an implementation code according to the first embodiment. 実施の形態1に係るシミュレータ装置の動作例を示すフローチャート図。FIG. 4 is a flowchart showing an operation example of the simulator device according to the first embodiment. 実施の形態1に係る検証シナリオの生成手順の例を示す図。FIG. 6 shows an example of a verification scenario generation procedure according to the first embodiment. 実施の形態1に係る割込みポイントの例を示す図。FIG. 4 is a diagram illustrating an example of interrupt points according to the first embodiment. 実施の形態1に係る入力シーケンス情報の例を示す図。FIG. 4 shows an example of input sequence information according to the first embodiment. 実施の形態1に係る割込みポイント情報の例を示す図。FIG. 4 is a diagram illustrating an example of interrupt point information according to the first embodiment. 実施の形態1に係るスケジューラ設定の例を示す図。FIG. 6 is a diagram illustrating an example of scheduler setting according to the first embodiment. 実施の形態1に係るI/Oデバイス状態情報(割込み)の例を示す図。FIG. 4 is a diagram showing an example of I / O device state information (interrupt) according to the first embodiment. 実施の形態1に係るI/Oデバイス状態情報(タイマ)の例を示す図。FIG. 4 is a diagram showing an example of I / O device state information (timer) according to the first embodiment. 実施の形態1に係る制御操作回数情報(連携操作)の例を示す図。FIG. 6 is a diagram illustrating an example of control operation count information (cooperation operation) according to the first embodiment. 実施の形態1に係る制御操作回数情報(I/O操作)の例を示す図。FIG. 6 is a diagram showing an example of control operation count information (I / O operation) according to the first embodiment. 実施の形態1に係る制御操作回数情報(割込み操作)の例を示す図。FIG. 6 is a diagram showing an example of control operation count information (interrupt operation) according to the first embodiment. 実施の形態1に係る制御操作回数情報(タイマ操作)の例を示す図。FIG. 5 is a diagram showing an example of control operation count information (timer operation) according to the first embodiment. 実施の形態1に係る制御信号アクセスログの例を示す図。FIG. 3 is a diagram showing an example of a control signal access log according to the first embodiment. 実施の形態2に係るスケジューラ設定の例を示す図。FIG. 10 is a diagram illustrating an example of scheduler setting according to the second embodiment. 実施の形態3に係る制御操作回数情報(割込み操作)の例を示す図。FIG. 10 is a diagram illustrating an example of control operation count information (interrupt operation) according to the third embodiment. 実施の形態1に係る制御操作情報の例を示す図。FIG. 4 is a diagram illustrating an example of control operation information according to the first embodiment. 実施の形態1~3に係るシミュレータ装置のハードウェア構成例を示す図。FIG. 4 is a diagram illustrating a hardware configuration example of a simulator device according to the first to third embodiments.
 実施の形態1.
 本実施の形態では、検証対象プログラムである実装コードを可能な限り修正せずに、H/WとS/Wの並行動作による処理のバリエーションを検証するシミュレータ装置を説明する。
 より具体的には、本実施の形態では、単体試験においてI/Oデバイスの動作を模擬するI/Oデバイス模擬プログラムを用いて、実装コードを検証するシミュレータ装置を説明する。
 本実施の形態に係るシミュレータ装置により、S/W結合試験以降からの手戻り工数を削減することが可能になる。 Embodiment 1 FIG.
In the present embodiment, a simulator device that verifies processing variations by parallel operation of H / W and S / W without modifying the implementation code as the verification target program as much as possible will be described.
More specifically, in the present embodiment, a simulator device that verifies a mounting code using an I / O device simulation program that simulates the operation of an I / O device in a unit test will be described.
The simulator device according to the present embodiment makes it possible to reduce the number of reworking steps after the S / W coupling test.
 図2は、本実施の形態の形態に係るシミュレータ装置100と、検証の対象となる実装コード500と、I/Oデバイスを模擬するI/Oデバイス模擬プログラム600との関係を示す。
 なお、シミュレータ装置100は、プログラム検証装置の例に相当する。 FIG. 2 shows the relationship between the simulator apparatus 100 according to the present embodiment, the implementation code 500 to be verified, and the I / O device simulation program 600 that simulates an I / O device.
The simulator device 100 corresponds to an example of a program verification device.
 実装コード500は、制御機器200の動作アルゴリズムが記述されたプログラムである。
 実装コード500は、シミュレータ装置100を用いた検証を含む試験後に、制御機器200に実装され、制御機器200で実行される。
 実装コード500は、シミュレータ装置100による検証の対象となるプログラムであり、検証対象プログラムの例に相当する。 The implementation code 500 is a program in which an operation algorithm of the control device 200 is described.
The mounting code 500 is mounted on the control device 200 and executed by the control device 200 after a test including verification using the simulator device 100.
The mounting code 500 is a program to be verified by the simulator device 100, and corresponds to an example of the verification target program.
 制御機器200は、図2に示すように、制御対象であるセンサデバイス300及び駆動デバイス400を制御する。
 制御機器200には、ハードウェアとして、I/Oポート204、I/Oポート205、割込み206、タイマ207が含まれる。
 また、図2には図示を省略しているが、制御機器200にはCPU(Central Processing Unit)又はマイクロコンピュータ、メモリといったハードウェアが搭載される。
 制御機器200は、センサデバイス300や駆動デバイス400などの制御対象に、デジタル信号またはアナログ信号を送受信するためのI/Oポート204、205を介して接続され、I/Oポート204、205を介してセンサデバイス300及び駆動デバイス400を制御する。
 I/Oデバイス模擬プログラム600は、図2に示すように、センサデバイス300、駆動デバイス400、I/Oポート204、I/Oポート205、割込み206及びタイマ207を模擬するプログラムである。
 シミュレータ装置100は、実装コード500及びI/Oデバイス模擬プログラム600を実行して、制御機器200の動作を模擬する。 As shown in FIG. 2, the control device 200 controls the sensor device 300 and the drive device 400 that are control targets.
The control device 200 includes an I / O port 204, an I / O port 205, an interrupt 206, and a timer 207 as hardware.
Although not shown in FIG. 2, the control device 200 is equipped with a CPU (Central Processing Unit), hardware such as a microcomputer, and memory.
The control device 200 is connected to a control target such as the sensor device 300 or the drive device 400 via I / O ports 204 and 205 for transmitting and receiving digital signals or analog signals, and via the I / O ports 204 and 205. Thus, the sensor device 300 and the driving device 400 are controlled.
As shown in FIG. 2, the I / O device simulation program 600 is a program that simulates the sensor device 300, the drive device 400, the I / O port 204, the I / O port 205, the interrupt 206, and the timer 207.
The simulator apparatus 100 executes the mounting code 500 and the I / O device simulation program 600 to simulate the operation of the control device 200.
 実装コード500に含まれるS/Wは、制御処理A201、制御処理B202及びハードウェアドライバ203がある。
 制御処理A201及び制御処理B202は、制御対象に物理的な制御をかけるための制御ロジックを実現する。
 ハードウェアドライバ203は、制御処理A201及び制御処理B202とH/W(I/Oポート204、I/Oポート205、割込み206、タイマ207)との間を仲介するプログラムである。
 ハードウェアドライバ203において、I/O処理2031は、制御処理A201、制御処理B202のI/Oポート204、205へのレジスタアクセスを仲介する。
 割込み処理2032は、H/Wからの割込み発生に対するハンドラとして機能する。
 タイマ処理2033は、H/Wからのタイムアウト発生に対するハンドラとして機能する。 The S / W included in the mounting code 500 includes a control process A201, a control process B202, and a hardware driver 203.
The control process A201 and the control process B202 realize a control logic for applying physical control to the control target.
The hardware driver 203 is a program that mediates between the control process A 201 and the control process B 202 and the H / W (I / O port 204, I / O port 205, interrupt 206, timer 207).
In the hardware driver 203, the I / O process 2031 mediates register access to the I / O ports 204 and 205 of the control process A 201 and the control process B 202.
The interrupt process 2032 functions as a handler for occurrence of an interrupt from the H / W.
The timer process 2033 functions as a handler for occurrence of timeout from the H / W.
 なお、図2に示した制御機器200の構成及び制御機器200に接続されるデバイスは一例であり、本実施の形態の適用範囲を図2の例に限定するものではない。 Note that the configuration of the control device 200 and the device connected to the control device 200 shown in FIG. 2 are examples, and the scope of application of the present embodiment is not limited to the example of FIG.
 シミュレータ装置100は、実装コード500を、I/Oデバイス模擬プログラム600とともに実行して、実装コード500の検証を行う。
 シミュレータ装置100には、スケジューラ101、検証シナリオ作成部102、制御監視部103、検証項目解析部104、割込み模擬部105、タイマ模擬部106が含まれる。
 各要素の詳細は、図2を参照して後述する。 The simulator apparatus 100 executes the mounting code 500 together with the I / O device simulation program 600 to verify the mounting code 500.
The simulator device 100 includes a scheduler 101, a verification scenario creation unit 102, a control monitoring unit 103, a verification item analysis unit 104, an interrupt simulation unit 105, and a timer simulation unit 106.
Details of each element will be described later with reference to FIG.
 シミュレータ装置100は、主に、割込みについての検証と、イベント発生回数についての検証を行う。
 以下にて、割込みについての検証とイベント発生回数についての検証を概説する。
 また、以下では、説明の便宜上、割込みについての検証と、イベント発生回数についての検証を分けて説明するが、シミュレータ装置100は、割り込みについての検証とイベント発生回数についての検証を並行して行うことができる。 The simulator device 100 mainly performs verification for interrupts and verification for the number of event occurrences.
The following outlines the verification of interrupts and the number of event occurrences.
In the following, for the sake of convenience of explanation, the verification for the interrupt and the verification for the event occurrence count will be described separately. However, the simulator apparatus 100 performs the verification for the interrupt and the verification for the event occurrence count in parallel. Can do.
 実装コード500の実行時に、制御処理またはハードウェアドライバ内の各処理が、複数の変数(後述する連携信号251、I/Oポート信号252、状態変数253、カウンタ変数254)に排他的に(割込みを介在させずに)連続してアクセスすべき局面がある。
 このような局面では、制御処理またはハードウェアドライバ内の各処理は、割込みを禁止して当該複数の変数にアクセスすることが必要である。
 割込みについての検証では、シミュレータ装置100は、このような割込みを禁止することが適正と想定されるタイミング(割込み禁止想定タイミングという)で制御処理A201が適切に割込みを禁止しているか否かを検証する。 When the implementation code 500 is executed, each control process or each process in the hardware driver is exclusively (interrupted) to a plurality of variables (a cooperation signal 251, an I / O port signal 252, a state variable 253, and a counter variable 254 described later). There is an aspect that should be accessed continuously (without intervening).
In such an aspect, the control process or each process in the hardware driver needs to prohibit the interrupt and access the plurality of variables.
In the verification of the interrupt, the simulator device 100 verifies whether or not the control process A201 appropriately prohibits the interrupt at a timing when it is assumed that prohibiting such an interrupt is appropriate (referred to as an interrupt prohibition expected timing). To do.
 制御処理及びハードウェアドライバ内の各処理は、上述のように、変数にアクセスする処理であり、変数アクセス処理の例に相当する。
 また、制御処理及びハードウェアドライバ内の各処理は、割込みを許可する設定(以下、許可設定ともいう)及び割込みを禁止する設定(以下、禁止設定ともいう)を行っており、割込み設定処理の例にも相当する。 As described above, the control process and each process in the hardware driver are processes for accessing a variable, and correspond to an example of a variable access process.
In addition, the control process and each process in the hardware driver are configured to permit interrupts (hereinafter also referred to as permission settings) and to prohibit interrupts (hereinafter also referred to as prohibition settings). It corresponds to an example.
 なお、以下では、制御処理A201が割込みの制御を適切に行っているかを検証する例を説明するが、制御処理B202、ハードウェアドライバ内の各処理が割込みの制御を適切に行っているかを検証する場合も同様の手順による。 In the following, an example of verifying whether the control process A201 appropriately controls the interrupt will be described. However, it is verified whether the control process B202 and each process in the hardware driver appropriately control the interrupt. Follow the same procedure.
 シミュレータ装置100では、まず、検証シナリオ作成部102が実装コード500を解析する。
 検証シナリオ作成部102は、実装コード500が制御機器200に実装されて制御機器200により実行される際に割込みが発生する可能性のある複数のタイミング(割込み候補タイミング又は割込みポイントという)を指定する。
 次に、スケジューラ101が、検証のために実装コード500を実行する。
 実装コード500の実行中に割込み候補タイミングが到来する度に、割込み模擬部105は、制御処理A201が許可設定及び禁止設定のいずれを行っているかを調査する。
 割込み模擬部105は、割込み候補タイミングにおいて許可設定が行われていれば、割込みを発生させる。
 一方、割込み候補タイミングにおいて禁止設定が行われていれば、割込み模擬部105は、割込みを発生させない。
 実装コード500の実行が完了すると、検証項目解析部104が、複数の割込み候補タイミングのうち、割込みを禁止すること適正が想定される割込み候補タイミング(制御処理による禁止設定の適否をユーザに判断してもらうことが望ましいと考えられる割込み候補タイミング)を割込み禁止想定タイミングとして選択し、実装コード500の実行結果に基づき、割込み禁止想定タイミングで制御処理A201が適切に割込みを禁止しているか否かを検証する。 In the simulator device 100, first, the verification scenario creation unit 102 analyzes the mounting code 500.
The verification scenario creation unit 102 designates a plurality of timings (referred to as interrupt candidate timings or interrupt points) at which an interrupt may occur when the mounting code 500 is mounted on the control device 200 and executed by the control device 200. .
Next, the scheduler 101 executes the implementation code 500 for verification.
Each time the interrupt candidate timing arrives during the execution of the implementation code 500, the interrupt simulation unit 105 investigates whether the control process A201 is performing permission setting or prohibition setting.
The interrupt simulation unit 105 generates an interrupt if permission is set at the interrupt candidate timing.
On the other hand, if the prohibition setting is performed at the interrupt candidate timing, the interrupt simulation unit 105 does not generate an interrupt.
When the execution of the implementation code 500 is completed, the verification item analysis unit 104 determines, from among a plurality of interrupt candidate timings, an interrupt candidate timing that is expected to be appropriate to prohibit an interrupt (the user determines whether the prohibition setting by the control process is appropriate). Interrupt candidate timing that is considered desirable to be received) is selected as the interrupt prohibition assumption timing, and based on the execution result of the implementation code 500, whether or not the control process A201 appropriately prohibits the interrupt at the interrupt prohibition assumption timing is determined. Validate.
 イベント発生回数の検証では、シミュレータ装置100は、関連のある2以上のイベントの各々の発生回数が適正であるかを検証する。 In the verification of the number of event occurrences, the simulator device 100 verifies whether the number of occurrences of two or more related events is appropriate.
 シミュレータ装置100は、実装コード500の実行により発生する複数のイベントのうち関連のある2以上のイベントをそれぞれ関連イベントとして相互に対応付けて記憶している。
 関連イベントは、例えば、要求イベントと応答イベントのように因果関係にある2つ以上のイベントである。
 また、シミュレータ装置100は、実装コード500が適正な場合の関連イベント間の発生回数の関係を記憶している。
 例えば、シミュレータ装置100が、イベントAとイベントBとを関連イベントとして対応付けて記憶していると仮定する。
 この場合に、シミュレータ装置100は、関連イベントの発生回数の関係として、例えば、イベントAの発生回数とイベントBの発生回数とが等しいという関係を記憶している。 The simulator device 100 stores two or more related events among a plurality of events generated by the execution of the implementation code 500 as related events and stores them in association with each other.
The related event is two or more events having a causal relationship such as a request event and a response event.
Further, the simulator device 100 stores the relationship of the number of occurrences between related events when the mounting code 500 is appropriate.
For example, it is assumed that the simulator device 100 stores event A and event B in association with each other as related events.
In this case, the simulator device 100 stores, for example, a relationship that the number of occurrences of the event A is equal to the number of occurrences of the event B as the relationship of the number of occurrences of related events.
 スケジューラ101が実装コード500を実行し、実装コード500の実行により発生するイベントの発生回数を制御監視部103が計数する。
 そして、実装コード500の実行が完了した後に、検証項目解析部104が、関連イベントの発生回数が適正であるか否かを検証する。
 前出の例では、制御監視部103がイベントAの発生回数とイベントBの発生回数を計数し、検証項目解析部104が、計数されたイベントAの発生回数とイベントBの発生回数が等しいか否かを検証する。 The scheduler 101 executes the implementation code 500, and the control monitoring unit 103 counts the number of occurrences of events that occur due to the execution of the implementation code 500.
Then, after the execution of the mounting code 500 is completed, the verification item analysis unit 104 verifies whether or not the number of occurrences of the related event is appropriate.
In the above example, the control monitoring unit 103 counts the number of occurrences of the event A and the number of occurrences of the event B, and the verification item analysis unit 104 determines whether the counted number of occurrences of the event A is equal to the number of occurrences of the event B. Verify whether or not.
 図3は、実装コード500のS/Wアーキテクチャを示す。
 スケジューラ101は、制御処理A201及び制御処理B202とハードウェアドライバ203内の各処理を周期的に起動する。
 これらの処理間で制御信号と呼ぶ共有変数を介してデータが送受信され、また、制御操作が実行される。
 なお、図3に示した処理と信号の関係は例示であり、本実施の形態の適用範囲を図3の例に限定するものではない。
 制御操作と制御信号に関する説明を以下にて行う。 FIG. 3 shows the S / W architecture of the implementation code 500.
The scheduler 101 periodically activates each process in the control process A 201, the control process B 202, and the hardware driver 203.
Data is transmitted and received between these processes via a shared variable called a control signal, and a control operation is executed.
Note that the relationship between the processing and the signal shown in FIG. 3 is an exemplification, and the application range of the present embodiment is not limited to the example of FIG.
The control operation and the control signal will be described below.
 制御操作には、制御処理間での連携操作と、制御処理からハードウェアドライバに対して行われるI/O操作、割込み操作、タイマ操作が含まれる。
 連携操作には、ある制御処理(例えば制御処理A201)が他の制御処理(例えば制御処理B202)に所定の演算を要求する要求操作と、演算を要求された制御処理(例えば制御処理B202)が要求元の制御処理(例えば制御処理A201)に演算結果を応答する応答操作が含まれる。
 I/O操作には、制御処理がI/Oデバイスからデータを読み込む操作、制御処理がI/Oデバイスへデータを書き出す操作が含まれる。
 割込み操作には、制御処理が割込み許可を設定する操作、制御処理が割込み禁止を設定する操作が含まれる。
 タイマ操作には、制御処理がタイマ開始を通知する操作、制御処理がタイマ終了を通知する操作、制御処理がタイムアウトの通知を受け付ける操作が含まれる。 The control operation includes a cooperative operation between control processes, an I / O operation performed on the hardware driver from the control process, an interrupt operation, and a timer operation.
The cooperative operation includes a request operation in which a certain control process (for example, control process A201) requests a predetermined calculation from another control process (for example, control process B202), and a control process in which the calculation is requested (for example, control process B202). A response operation of responding to the calculation result is included in the control process (for example, control process A201) of the request source.
The I / O operation includes an operation in which the control process reads data from the I / O device and an operation in which the control process writes data to the I / O device.
The interrupt operation includes an operation in which the control process sets interrupt permission and an operation in which the control process sets interrupt prohibition.
The timer operation includes an operation in which the control process notifies the timer start, an operation in which the control process notifies the timer end, and an operation in which the control process receives a timeout notification.
 制御信号には、制御処理間で送受信する連携信号251と、制御処理とハードウェアドライバとの間で送受信するI/O信号が含まれる。
 I/O信号には、制御処理とI/O処理2031との間の情報伝達のためのI/Oポート信号252、制御処理と割込み処理2032との間の情報伝達のための状態変数253、制御処理とタイマ処理2033との間の情報伝達のためのカウンタ信号254が含まれる。
 なお、I/O信号として、図3に示していない信号を追加してもよい。 The control signal includes a cooperation signal 251 transmitted / received between the control processes and an I / O signal transmitted / received between the control process and the hardware driver.
The I / O signal includes an I / O port signal 252 for information transmission between the control processing and the I / O processing 2031, a state variable 253 for information transmission between the control processing and the interrupt processing 2032, A counter signal 254 for information transmission between the control process and the timer process 2033 is included.
Note that a signal not shown in FIG. 3 may be added as the I / O signal.
 シミュレータ装置100は、例えば、連携操作における要求操作と応答操作を関連イベントとして管理する。
 また、シミュレータ装置100は、例えば、I/O操作におけるI/O読み込み操作とI/O書出し操作も関連イベントとして管理する。
 また、シミュレータ装置100は、例えば、割り込み操作における割込み許可の設定操作と割込み禁止の設定操作も関連イベントとして管理する。
 更に、シミュレータ装置100は、例えば、タイマ操作におけるタイマ開始を通知する操作、タイマ終了の通知を受け付ける操作、タイムアウトの通知を受け付ける操作も関連イベントとして管理する。 For example, the simulator device 100 manages a request operation and a response operation in a cooperative operation as related events.
The simulator device 100 also manages, for example, an I / O read operation and an I / O write operation in an I / O operation as related events.
The simulator device 100 also manages, for example, an interrupt permission setting operation and an interrupt prohibition setting operation in an interrupt operation as related events.
Furthermore, the simulator device 100 manages, for example, an operation for notifying a timer start in a timer operation, an operation for receiving a timer end notification, and an operation for receiving a timeout notification as related events.
 ハードウェアドライバ203では、I/Oポートのレジスタアクセス、H/Wでの割込み発生、およびH/Wでのタイムアウト発生を処理するため、I/O処理2031、割込み処理2032、タイマ処理2033が制御処理と並行に動作する。 The hardware driver 203 controls the I / O processing 2031, the interrupt processing 2032, and the timer processing 2033 in order to process I / O port register access, H / W interrupt generation, and H / W timeout generation. Operates in parallel with processing.
 スケジューラ101は、制御処理A201、制御処理B202、I/O処理2031、割込み処理2032、タイマ処理2033の実行を管理する。
 例えば、スケジューラ101は、ハードウェアドライバ203の実行優先度が制御処理よりも高ければ、制御処理の実行を中断してハードウェアドライバ203の実行を開始し、ハードウェアドライバ203の実行が終了した後に制御処理の実行を再開する。
 制御処理とハードウェアドライバ203は、制御信号の値に基づいて、それぞれの処理内容を変更する。 The scheduler 101 manages execution of control processing A 201, control processing B 202, I / O processing 2031, interrupt processing 2032, and timer processing 2033.
For example, if the execution priority of the hardware driver 203 is higher than that of the control process, the scheduler 101 interrupts the execution of the control process and starts the execution of the hardware driver 203, and after the execution of the hardware driver 203 ends. Resume execution of control processing.
The control process and the hardware driver 203 change the contents of each process based on the value of the control signal.
 次に、本実施の形態に係るシミュレータ装置100の構成を、図1を用いて説明する。 Next, the configuration of the simulator device 100 according to the present embodiment will be described with reference to FIG.
 検証シナリオ作成部102は、プログラム記憶部108から実装コード500を読み出し、また、連携変数記憶部107から連携変数を読み出し、実装コード500と連携変数を解析して検証シナリオを作成する。
 検証シナリオは、入力シーケンス情報と割込みポイント情報で構成される。
 入力シーケンス情報は、実装コード500に入力される入力値の変遷が示される情報である。
 入力シーケンス情報は、例えば、図7に示す情報である。
 割込みポイント情報は、割込みポイントが示される情報である。
 割込みポイント情報は、例えば、図8に示す情報である。
 なお、入力シーケンス情報及び割込みポイント情報の詳細は、後述する。
 なお、検証シナリオ作成部102により生成された検証シナリオは、検証シナリオ記憶部110に格納される。
 なお、検証シナリオ作成部102は、割込み候補タイミング指定部の例に相当する。 The verification scenario creation unit 102 reads the implementation code 500 from the program storage unit 108, reads the cooperation variable from the cooperation variable storage unit 107, analyzes the implementation code 500 and the cooperation variable, and creates a verification scenario.
The verification scenario includes input sequence information and interrupt point information.
The input sequence information is information indicating a transition of an input value input to the mounting code 500.
The input sequence information is, for example, information shown in FIG.
The interrupt point information is information indicating an interrupt point.
The interrupt point information is, for example, information shown in FIG.
Details of the input sequence information and the interrupt point information will be described later.
The verification scenario generated by the verification scenario creation unit 102 is stored in the verification scenario storage unit 110.
The verification scenario creation unit 102 corresponds to an example of an interrupt candidate timing designation unit.
 実装コード実行部1011は、プログラム記憶部108から実装コード500を読み出し、また、スケジューラ設定記憶部109からスケジューラ設定を読み出し、スケジューラ設定に従って実装コード500を実行する。
 スケジューラ設定は、実装コード500とI/Oデバイス模擬プログラム600の起動周期及び起動順序が示されている情報である。
 スケジューラ設定は、例えば、図9に示す情報である。
 スケジューラ設定の詳細は後述する。
 なお、実装コード実行部1011は、プログラム実行部の例に相当する。 The implementation code execution unit 1011 reads the implementation code 500 from the program storage unit 108, reads the scheduler setting from the scheduler setting storage unit 109, and executes the implementation code 500 according to the scheduler setting.
The scheduler setting is information indicating the activation code and the activation sequence of the implementation code 500 and the I / O device simulation program 600.
The scheduler setting is, for example, information shown in FIG.
Details of the scheduler setting will be described later.
The implementation code execution unit 1011 corresponds to an example of a program execution unit.
 I/Oデバイス模擬プログラム実行部1012は、プログラム記憶部108からI/Oデバイス模擬プログラム600を読み出し、検証シナリオ記憶部110から検証シナリオを読み出し、スケジューラ設定記憶部109からスケジューラ設定を読み出す。
 そして、I/Oデバイス模擬プログラム実行部1012は、検証シナリオ及びスケジューラ設定に従って、I/Oデバイス模擬プログラム600を実行する。
 I/Oデバイス模擬プログラム実行部1012は、I/Oデバイス模擬プログラム600の実行にあたって、タイマ模擬部106からのタイマ通知も利用する。
 また、I/Oデバイス模擬プログラム実行部1012は、割込み模擬部105からのH/W割込みに基づき、割込み206を模擬して、ハードウェアドライバ203内の割込み処理2032に対して割込みを要求する。
 I/Oデバイス模擬プログラム実行部1012は、プログラム実行部の例に相当し、また、割込み発生部の例にも相当する。 The I / O device simulation program execution unit 1012 reads the I / O device simulation program 600 from the program storage unit 108, reads the verification scenario from the verification scenario storage unit 110, and reads the scheduler setting from the scheduler setting storage unit 109.
Then, the I / O device simulation program execution unit 1012 executes the I / O device simulation program 600 according to the verification scenario and the scheduler setting.
The I / O device simulation program execution unit 1012 also uses the timer notification from the timer simulation unit 106 when executing the I / O device simulation program 600.
Also, the I / O device simulation program execution unit 1012 simulates the interrupt 206 based on the H / W interrupt from the interrupt simulation unit 105 and requests an interrupt to the interrupt processing 2032 in the hardware driver 203.
The I / O device simulation program execution unit 1012 corresponds to an example of a program execution unit, and also corresponds to an example of an interrupt generation unit.
 なお、実装コード実行部1011とI/Oデバイス模擬プログラム実行部1012は、図2に示したスケジューラ101を詳細化したものである。 The implementation code execution unit 1011 and the I / O device simulation program execution unit 1012 are details of the scheduler 101 shown in FIG.
 割込み模擬部105は、検証シナリオ記憶部110から検証シナリオを読み出し、I/Oデバイス状態記憶部111からI/Oデバイス状態情報(割込み)を読み出す。
 そして、割込み模擬部105は、検証シナリオとI/Oデバイス状態情報(割込み)に従ってH/W割込みの動作を模擬する。
 I/Oデバイス状態情報(割込み)には、割込みが許可されているか、割込みが禁止されているかが示される。
 I/Oデバイス状態情報(割込み)は、例えば、図10に示す情報である。
 割込み模擬部105は、検証シナリオに示される割込みポイントが到来した際に、I/Oデバイス状態情報(割込み)を参照し、割込みが許可されている場合に、H/W割込みをI/Oデバイス模擬プログラム実行部1012に通知する。
 I/Oデバイス状態情報(割込み)の詳細は後述する。
 割込み模擬部105は、割込み発生部の例に相当する。 The interrupt simulation unit 105 reads the verification scenario from the verification scenario storage unit 110 and reads I / O device state information (interrupt) from the I / O device state storage unit 111.
The interrupt simulation unit 105 simulates the operation of the H / W interrupt according to the verification scenario and the I / O device status information (interrupt).
The I / O device status information (interrupt) indicates whether interrupt is permitted or interrupt is prohibited.
The I / O device status information (interrupt) is information shown in FIG. 10, for example.
The interrupt simulation unit 105 refers to the I / O device status information (interrupt) when the interrupt point indicated in the verification scenario arrives, and if the interrupt is permitted, the interrupt simulation unit 105 sends the H / W interrupt to the I / O device. The simulation program execution unit 1012 is notified.
Details of the I / O device status information (interrupt) will be described later.
The interrupt simulation unit 105 corresponds to an example of an interrupt generation unit.
 タイマ模擬部106は、I/Oデバイス状態記憶部111からI/ Oデバイス状態情報(タイマ)を読み出し、I/Oデバイス状態情報(タイマ)に従ってH/Wタイマの動作を模擬する。
 I/Oデバイス状態情報(タイマ)には、タイマ設定の詳細が示される。
 I/Oデバイス状態情報(タイマ)は、図11に示す情報である。
 I/Oデバイス状態情報(タイマ)の詳細は後述する。 The timer simulation unit 106 reads I / O device state information (timer) from the I / O device state storage unit 111 and simulates the operation of the H / W timer according to the I / O device state information (timer).
The I / O device status information (timer) shows details of timer setting.
The I / O device status information (timer) is information shown in FIG.
Details of the I / O device status information (timer) will be described later.
 制御監視部103は、制御操作情報記憶部115から制御操作情報を読み出し、実装コード500の実行中に、制御操作情報に従って、イベント発生回数である制御操作回数を計数する。
 また、制御監視部103は、実装コード500の実行中に、制御処理A201等による制御信号(変数)へのアクセス状況を監視する。
 更に、制御監視部103は、制御操作回数を制御操作回数記憶部112に記録し、変数アクセス状況を制御信号アクセスログとして制御信号アクセスログ記憶部113に記録する。
 制御操作回数は、例えば図12~図15に示す形式で制御操作回数記憶部112に記録される。
 また、制御信号アクセスログは、例えば図16に示す情報である。
 制御操作情報には、関連イベントである関連操作が示され、関連操作間の発生回数の関係についての条件が示される。
 制御操作情報は、例えば、図19に示す情報である。 The control monitoring unit 103 reads the control operation information from the control operation information storage unit 115, and counts the number of control operations, which is the number of event occurrences, according to the control operation information during the execution of the mounting code 500.
Further, the control monitoring unit 103 monitors the access status to the control signal (variable) by the control process A 201 or the like during the execution of the mounting code 500.
Furthermore, the control monitoring unit 103 records the number of control operations in the control operation number storage unit 112 and records the variable access status in the control signal access log storage unit 113 as a control signal access log.
The number of control operations is recorded in the control operation number storage unit 112, for example, in the format shown in FIGS.
The control signal access log is information shown in FIG. 16, for example.
In the control operation information, a related operation that is a related event is shown, and a condition about the relationship of the number of occurrences between related operations is shown.
The control operation information is, for example, information shown in FIG.
 図19では、制御処理A201と制御処理B202との間の連携操作での関連操作が示される。
 図19の例では、演算の種類が異なる連携操作Xと連携操作Yが示される。
 連携操作Xでは、制御処理A201からの要求操作と制御処理B202からの応答操作が関連操作として定義され、連携操作Yでは、制御処理B202からの要求操作と制御処理A201からの応答操作が関連操作として定義されている。
 また、図19の例では、関係条件が「±0」となっており、要求操作の発生回数と応答操作の発生回数が等しいことが条件となっている。
 関係条件は、実装コード500が適正な場合の関連操作間の発生回数の関係が定義されており、図19の例では、実装コード500が適正な場合は、要求操作の発生回数と応答操作の発生回数が等しいことが定義されている。
 図19では図示を省略しているが、制御操作情報には、図19と同様の内容がI/O操作、割込み操作、タイマ操作にも定義されている。
 また、図19の例では、要求操作の発生回数と応答操作の発生回数が等しいことが条件となっているが、これ以外の条件を定義してもよい。
 例えば、[要求操作の回数]≧[応答操作の回数]であれば実装コード500が適正と判断する旨の条件を定義してもよい。
 なお、制御監視部103は、計数部の例に相当する。
 また、制御操作情報は関連イベント情報の例に相当する。
 また、制御操作情報記憶部115は関連イベント情報記憶部の例に相当する。 FIG. 19 shows a related operation in the cooperative operation between the control process A201 and the control process B202.
In the example of FIG. 19, a cooperative operation X and a cooperative operation Y with different types of computation are shown.
In the cooperative operation X, the request operation from the control process A201 and the response operation from the control process B202 are defined as related operations. In the cooperative operation Y, the request operation from the control process B202 and the response operation from the control process A201 are related operations. Is defined as
In the example of FIG. 19, the relational condition is “± 0”, and the condition is that the number of occurrences of the requested operation is equal to the number of occurrences of the response operation.
The relationship condition defines the relationship of the number of occurrences between related operations when the mounting code 500 is appropriate. In the example of FIG. 19, when the mounting code 500 is appropriate, the number of occurrences of the requested operation and the response operation It is defined that the number of occurrences is equal.
Although not shown in FIG. 19, the same contents as in FIG. 19 are defined in the control operation information for the I / O operation, the interrupt operation, and the timer operation.
In the example of FIG. 19, the condition is that the number of occurrences of the requested operation is equal to the number of occurrences of the response operation, but other conditions may be defined.
For example, a condition that the mounting code 500 determines that it is appropriate if [number of requested operations] ≧ [number of response operations] may be defined.
The control monitoring unit 103 corresponds to an example of a counting unit.
The control operation information corresponds to an example of related event information.
The control operation information storage unit 115 corresponds to an example of a related event information storage unit.
 検証項目解析部104は、制御操作回数記憶部112から制御操作回数を読み出し、制御操作回数が制御操作情報に示す関係条件に合致するかを検証する。
 また、検証項目解析部104は、制御信号アクセスログ記憶部113から制御信号アクセスログを読み出す。
 そして、検証項目解析部104は、制御処理A201等による制御信号(変数)へのアクセス状況を解析し、割込み禁止想定タイミングにおいて適切に割込みが禁止されているか否かを検証する。
 また、検証項目解析部104は検証結果を示す検証レポートを作成し、作成した検証レポートを検証レポート記憶部114に格納する。
 検証項目解析部104は、検証部の例に相当する。 The verification item analysis unit 104 reads the number of control operations from the control operation number storage unit 112, and verifies whether the number of control operations matches the relation condition indicated in the control operation information.
Further, the verification item analysis unit 104 reads the control signal access log from the control signal access log storage unit 113.
Then, the verification item analysis unit 104 analyzes the access status to the control signal (variable) by the control process A201 and the like, and verifies whether or not the interrupt is appropriately prohibited at the interrupt prohibition assumed timing.
The verification item analysis unit 104 creates a verification report indicating the verification result, and stores the created verification report in the verification report storage unit 114.
The verification item analysis unit 104 corresponds to an example of a verification unit.
 次に、本実施の形態に係るシミュレータ装置100の動作例を図4のフローチャートを用いて説明する。
 図4のフローチャートの入力は、実装コード500と連携変数を識別する情報である。
 図4のフローチャートの出力は、実装コード500の実行結果を検証項目解析部104が検証した結果である検証レポートである。 Next, an operation example of the simulator device 100 according to the present embodiment will be described using the flowchart of FIG.
The input of the flowchart of FIG. 4 is information for identifying the mounting code 500 and the linkage variable.
The output of the flowchart of FIG. 4 is a verification report that is a result of verification of the execution result of the mounting code 500 by the verification item analysis unit 104.
 センサデバイス300及び駆動デバイス400といったI/Oデバイスの動作を模擬するには、I/Oデバイス模擬プログラム600を実装コード500とは異なる短い周期で実行する必要がある。
 以降では、図4のフローチャートの各ステップを順に説明していくが、各ステップを説明順に実行するわけではない。
 実装コード500の実行(S102)から割込み処理の実行(S106)までの各ステップが逐次実行され、I/Oデバイス模擬プログラム600の実行(S107)からタイマ処理の実行(S109)までの各ステップが逐次実行され、これら2つのフローが並行に実行される。 In order to simulate the operation of the I / O devices such as the sensor device 300 and the driving device 400, the I / O device simulation program 600 needs to be executed in a short cycle different from the mounting code 500.
Hereinafter, each step of the flowchart of FIG. 4 will be described in order, but each step is not executed in the description order.
Each step from the execution of the mounting code 500 (S102) to the execution of the interrupt process (S106) is sequentially executed, and each step from the execution of the I / O device simulation program 600 (S107) to the execution of the timer process (S109) is performed. These two flows are executed in parallel.
 まず、検証シナリオ作成部102が、実装コード500と連携変数を解析して、検証シナリオを作成する(S101)。
 前述したように、検証シナリオは、入力シーケンス情報と割込みポイント情報から構成される。
 入力シーケンス情報は、ハードウェアドライバ203を介して実装コード500に与える入力値を時系列に並べた情報である。
 割込みポイント情報は、H/Wでの割込み発生を模擬するタイミング(割込みポイント)を指定する情報である。 First, the verification scenario creation unit 102 analyzes the mounting code 500 and the linkage variable, and creates a verification scenario (S101).
As described above, the verification scenario includes input sequence information and interrupt point information.
The input sequence information is information in which input values to be given to the mounting code 500 via the hardware driver 203 are arranged in time series.
The interrupt point information is information for designating a timing (interrupt point) for simulating the occurrence of an interrupt at H / W.
 図5に示すように、検証シナリオ作成部102は、客先仕様書、制御仕様書、関数仕様書など実装コード500を作成するための入力成果物に基づいて、例えば既存の方法を用いて入力シーケンス情報を作成する。
 または、検証シナリオ作成部102は、実装コード500のカバレッジ基準(例えばC0、C1、C2、MC/DC(Modified Condition/Decision Coverage)など)に基づいて、例えば既存の方法を用いて入力シーケンス情報を作成してもよい。
 または、これら2つの方法を組み合わせて作成してもよい。 As shown in FIG. 5, the verification scenario creation unit 102 inputs, for example, an existing method based on an input product for creating an implementation code 500 such as a customer specification, a control specification, and a function specification. Create sequence information.
Alternatively, the verification scenario creation unit 102 uses, for example, an existing method for input sequence information based on the coverage standard of the implementation code 500 (for example, C0, C1, C2, MC / DC (Modified Condition / Decision Coverage)). You may create it.
Or you may create combining these two methods.
 割込みポイント情報の作成では、検証シナリオ作成部102は、実装コード500内で、複数の処理(複数の制御処理、制御処理とハードウェアドライバ内の処理)が同一の制御信号(変数)にアクセスしている箇所を特定し、複数の処理がアクセスする制御信号(変数)を競合制御信号(競合変数)として抽出する。
 そして、検証シナリオ作成部102は、競合制御信号へのアクセスの前後をそれぞれ割込みポイントとして指定する。
 図6は、競合制御信号及び割込みポイントを説明する。
 図6では、制御処理A201及び割込み処理2032が状態変数1~3にアクセスし、タイマ処理2033が状態変数3にアクセスしている。
 このように、状態変数1~3は、複数の処理によりアクセスされており、検証シナリオ作成部102は、状態変数1~3を競合制御信号として抽出する。
 そして、検証シナリオ作成部102は、各状態変数へのアクセスの前後のタイミングを割込みポイントとして指定する。
 図6の例では、検証シナリオ作成部102は、4つのタイミングを割込みポイントとして指定している。 In creating the interrupt point information, the verification scenario creating unit 102 accesses the same control signal (variable) in a plurality of processes (multiple control processes, control processes and processes in the hardware driver) in the implementation code 500. A control signal (variable) accessed by a plurality of processes is extracted as a competition control signal (competition variable).
Then, the verification scenario creation unit 102 designates before and after access to the contention control signal as interrupt points.
FIG. 6 illustrates contention control signals and interrupt points.
In FIG. 6, the control process A 201 and the interrupt process 2032 access the state variables 1 to 3, and the timer process 2033 accesses the state variable 3.
As described above, the state variables 1 to 3 are accessed by a plurality of processes, and the verification scenario creating unit 102 extracts the state variables 1 to 3 as the competition control signal.
Then, the verification scenario creation unit 102 designates the timing before and after the access to each state variable as an interrupt point.
In the example of FIG. 6, the verification scenario creation unit 102 designates four timings as interrupt points.
 図7は、入力シーケンス情報の例を示している。
 図7の例では、実装コード500の入力変数をi、jとし、入力変数i、jに代入される値を時系列に示している。
 図7の各行は、1つの試験での入力値のパターンを示している。
 本実施の形態では、シミュレータ装置100は有限時間動作を模擬するため、入力シーケンス情報では、最大ステップ数が指定されている。
 最大ステップ数は、起動回数の最大値、すなわち動作終了時点を判定するための起動回数である。
 図8は、割込みポイント情報の例を示している。
 図8は、図6の例に対応させた割込みポイント情報である。
 前述したように、状態変数1~3へのアクセスの前後のタイミングが割込みポイントである。
 シミュレータ装置100は、図7の行数分の試験を行う。
 つまり、入力シーケンス情報がn行で構成されていれば、割込み模擬部105は、入力シーケンス情報の各行の入力値のパターンを用いて、実装コード500の実行をn回繰り返す。
 そして、割込み模擬部105は、実装コード500の各回の実行時に、図8に示す割込みポイントにて割込みが禁止されていなければ、H/W割込みを発生させる。 FIG. 7 shows an example of input sequence information.
In the example of FIG. 7, the input variables of the implementation code 500 are i and j, and the values assigned to the input variables i and j are shown in time series.
Each row in FIG. 7 shows a pattern of input values in one test.
In the present embodiment, since the simulator device 100 simulates a finite time operation, the maximum number of steps is specified in the input sequence information.
The maximum number of steps is the maximum value of the number of activations, that is, the number of activations for determining the operation end point.
FIG. 8 shows an example of the interrupt point information.
FIG. 8 shows interrupt point information corresponding to the example of FIG.
As described above, the timing before and after the access to the state variables 1 to 3 is an interrupt point.
The simulator device 100 performs the test for the number of rows in FIG.
That is, if the input sequence information is composed of n rows, the interrupt simulation unit 105 repeats the execution of the implementation code 500 n times using the input value pattern of each row of the input sequence information.
Then, the interrupt simulation unit 105 generates an H / W interrupt if the interrupt is not prohibited at the interrupt point shown in FIG.
 説明を図4のフローチャートに戻す。
 検証シナリオが生成されると、スケジューラ設定で指定されている起動周期と起動順序に従って、実装コード500中の制御処理とI/Oデバイス模擬プログラム600が実行される(S102、S107)。 The description returns to the flowchart of FIG.
When the verification scenario is generated, the control process and the I / O device simulation program 600 in the implementation code 500 are executed in accordance with the start cycle and start order specified in the scheduler settings (S102, S107).
 I/Oデバイス模擬プログラム600の実行(S107)では、I/Oデバイス模擬プログラム実行部1012が、検証シナリオの入力シーケンス情報から該当するステップの入力値を読み取って、実装コード500の入力変数に設定する。
 スケジューラ設定を図9に示す。 In the execution of the I / O device simulation program 600 (S107), the I / O device simulation program execution unit 1012 reads the input value of the corresponding step from the input sequence information of the verification scenario and sets it as the input variable of the implementation code 500. To do.
The scheduler settings are shown in FIG.
 図9では、シミュレータ装置100において二種類のI/Oデバイス模擬プログラム600が実行され、二種類のI/O処理2031が実行され、二種類の制御処理が実行される場合のスケジューラ設定を示している。
 また、起動順序は、同じ起動周期を持つ処理が複数ある場合の実行優先度を表す。
 起動順序が「1」の処理が優先して実行される。 FIG. 9 shows scheduler settings when two types of I / O device simulation programs 600 are executed in the simulator apparatus 100, two types of I / O processing 2031 are executed, and two types of control processing are executed. Yes.
The activation order represents an execution priority when there are a plurality of processes having the same activation cycle.
The process with the activation order “1” is executed with priority.
 実装コード500の実行(S102)では、実装コード実行部1011が、実装コード500に記述されている制御ロジックのとおりに、入力値の読込み、各制御信号の読込み・書出し、制御演算を実行し、演算結果である出力値を出力変数に書出す。
 実装コード500の実行中に、制御処理により割込みの許可又は割込みの禁止が設定される。
 具体的には、I/Oデバイス状態記憶部111内のI/Oデバイス状態情報(割込み)に、割込みの許可又は割込みの禁止が設定される。 In the execution of the mounting code 500 (S102), the mounting code execution unit 1011 reads the input value, reads / writes each control signal, and executes the control operation in accordance with the control logic described in the mounting code 500. Write the output value that is the result of the operation to the output variable.
During execution of the mounting code 500, permission of interrupt or prohibition of interrupt is set by the control process.
Specifically, permission of interrupt or prohibition of interrupt is set in the I / O device status information (interrupt) in the I / O device status storage unit 111.
 図10は、I/Oデバイス状態情報(割込み)の例を示す。
 図10では、X及びYという2つの割込み206が配置される場合のI/Oデバイス状態情報(割込み)が示されている。
 また、制御処理の中でタイマ開始又はタイマ終了が発生すると、I/Oデバイス状態記憶部111内のI/Oデバイス状態情報(タイマ)にタイマ管理のための情報が記述される。
 図11は、I/Oデバイス状態情報(タイマ)の例を示す。
 図11では、X及びYという2つのタイマ207が配置される場合のI/Oデバイス状態情報(タイマ)が示されている。
 I/Oデバイス状態情報(タイマ)では、タイマ種別としてワンショット(1回タイムアウトしたらタイマが自動的に終了)又は継続(タイマ終了操作をするまで何度でもタイムアウトが発生)、タイマ状態として開始又は終了が設定される。
 また、I/Oデバイス状態情報(タイマ)では、タイマ値やカウンタも設定される。 FIG. 10 shows an example of I / O device status information (interrupt).
FIG. 10 shows I / O device state information (interrupt) when two interrupts 206 of X and Y are arranged.
Further, when timer start or timer end occurs in the control process, information for timer management is described in I / O device status information (timer) in the I / O device status storage unit 111.
FIG. 11 shows an example of I / O device status information (timer).
FIG. 11 shows I / O device state information (timer) when two timers 207 of X and Y are arranged.
In the I / O device status information (timer), the timer type is one-shot (the timer is automatically terminated when it times out once) or continues (timeout occurs repeatedly until the timer is terminated), or the timer status is started or End is set.
In the I / O device status information (timer), a timer value and a counter are also set.
 説明を図4のフローチャートに戻す。
 制御監視部103は、実装コード500の実行の間(S102)、制御操作と制御信号アクセスを監視する(S103)。
 制御監視部103は、制御操作を検出した場合は、該当する制御操作の制御操作回数をインクリメントする(S104)。
 また、制御監視部103は、制御信号アクセスを検出した場合は、制御信号アクセスログに制御信号名、アクセス種別、およびアクセス値を時間順に追加していく(S105)。 The description returns to the flowchart of FIG.
The control monitoring unit 103 monitors the control operation and control signal access during the execution of the implementation code 500 (S102) (S103).
When the control monitoring unit 103 detects a control operation, the control monitoring unit 103 increments the number of control operations of the corresponding control operation (S104).
If the control monitoring unit 103 detects a control signal access, the control monitoring unit 103 adds the control signal name, the access type, and the access value to the control signal access log in order of time (S105).
 図12~図15に制御操作回数情報を示す。
 図12は、連携操作での制御操作回数を示す制御操作回数情報(連携操作)である。
 図13は、I/O操作での制御操作回数を示す制御操作回数情報(I/O操作)である。
 図14は、割込み操作での制御操作回数を示す制御操作回数情報(割込み操作)である。
 図15は、タイマ操作での制御操作回数を示す制御操作回数情報(タイマ操作)である。
 制御操作回数情報(連携操作)及び制御操作回数情報(I/O操作)では、「関係条件」が「YES」となっている2つの制御操作が関連操作である。
 つまり、「関係条件」が「YES」となっている2つの制御操作は、図19の制御操作情報で関連操作として定義されている。
 また、制御操作回数情報(割込み操作)及び制御操作回数情報(タイマ操作)では、同じ行に記述されている制御操作の対が関連操作である。 12 to 15 show the control operation frequency information.
FIG. 12 is control operation number information (cooperation operation) indicating the number of control operations in the cooperation operation.
FIG. 13 is control operation number information (I / O operation) indicating the number of control operations in the I / O operation.
FIG. 14 is control operation count information (interrupt operation) indicating the number of control operations in the interrupt operation.
FIG. 15 is control operation number information (timer operation) indicating the number of control operations in the timer operation.
In the control operation count information (cooperation operation) and the control operation count information (I / O operation), two control operations whose “relationship condition” is “YES” are related operations.
That is, two control operations whose “relationship condition” is “YES” are defined as related operations in the control operation information of FIG.
Further, in the control operation count information (interrupt operation) and the control operation count information (timer operation), a pair of control operations described in the same line is a related operation.
 図16に制御信号アクセスログを示す。
 制御信号アクセスログには、「処理名」、「制御信号名」、「アクセス種別」、「アクセス値」が記述される。
 「処理名」の欄では、制御信号へのアクセスを行った処理の名称が記述される。
 「制御信号名」の欄では、アクセスの対象となった制御信号の名称が記述される。
 「アクセス種別」の欄では、実施されたアクセスの種別が記述される。
 「アクセス値」の欄では、制御信号から読み出された又は制御信号に書き出された値が記述される。 FIG. 16 shows a control signal access log.
In the control signal access log, “process name”, “control signal name”, “access type”, and “access value” are described.
In the “Process Name” column, the name of the process that has accessed the control signal is described.
In the “control signal name” column, the name of the control signal to be accessed is described.
In the “access type” column, the type of access performed is described.
In the “access value” column, a value read from the control signal or written to the control signal is described.
 説明を図4のフローチャートに戻す。
 割込み模擬部105は、図8に示した割込みポイントの際に、図10のI/Oデバイス状態情報(割込み)を参照し、割込み状態が「許可」の場合に、H/W割込みを発生させる(S106)。
 割込み模擬部105がH/W割込みを発生させると、I/Oデバイス模擬プログラム実行部1012がI/Oポート205を模擬して、実装コード500の割込み処理2032に対して割込みを発生させる。
 割込み処理2032は、対象の制御信号(例えば、状態変数1)にアクセスする。
 一方、割込みポイントの際の割込み状態が「禁止」であれば、割込み模擬部105はH/W割込みを発生させない。 The description returns to the flowchart of FIG.
The interrupt simulation unit 105 refers to the I / O device status information (interrupt) in FIG. 10 at the interrupt point shown in FIG. 8, and generates an H / W interrupt when the interrupt status is “permitted”. (S106).
When the interrupt simulation unit 105 generates an H / W interrupt, the I / O device simulation program execution unit 1012 simulates the I / O port 205 and generates an interrupt to the interrupt processing 2032 of the implementation code 500.
The interrupt process 2032 accesses a target control signal (for example, state variable 1).
On the other hand, if the interrupt state at the interrupt point is “prohibited”, the interrupt simulation unit 105 does not generate an H / W interrupt.
 また、タイマ模擬部106が、図11のI/Oデバイス状態情報(タイマ)を参照し、タイマ状態が「開始」である場合は、該当するタイマをカウントアップする(S108)。
 また、カウンタがタイマ値以上になってタイマが満了したら、実装コード実行部1011は、該当するタイマ処理2033を実行する。 Also, the timer simulation unit 106 refers to the I / O device state information (timer) in FIG. 11 and counts up the corresponding timer when the timer state is “start” (S108).
When the counter reaches the timer value or more and the timer expires, the implementation code execution unit 1011 executes the corresponding timer process 2033.
 そして、実装コード500とI/Oデバイス模擬プログラム600の起動回数が図7の最大ステップ数に到達したら、検証項目解析部104が制御捜査回数と制御信号アクセスログの検証を行い、検証レポートを作成する(S110)。 When the number of activations of the implementation code 500 and the I / O device simulation program 600 reaches the maximum number of steps in FIG. 7, the verification item analysis unit 104 verifies the number of control investigations and the control signal access log, and creates a verification report. (S110).
 より具体的には、検証項目解析部104は、図12~図15の制御操作回数情報を参照し、関連操作間の発生回数がつり合っていれば、制御操作回数が適正と判断する。
 各制御操作の判定方法を以下に示す。
 「要求操作」の発生回数=「応答操作」の発生回数(関係条件がYESの場合)
 「I/O読込み」の発生回数=「I/O書出し」の発生回数(関係条件がYESの場合)
 「割込み許可」の発生回数=「割込み禁止」の発生回数
 「タイマ開始」の発生回数=「タイマ終了」の発生回数+「タイムアウト」の発生回数(ワンショットの場合)
 「タイマ開始」の発生回数=「タイマ終了」の発生回数(継続の場合)
 図12~図15の例では、検証項目解析部104は、制御処理Aの連携操作Xは適正と判断し、制御処理Bの連携操作Yも適正と判断する。
 また、制御処理AのI/O操作Xは適正でないと判断する。
 また、制御処理Aの割込み操作Xは適正と判断し、制御処理Bの割込み操作Yは適正でないと判断する。
 制御処理Aのタイマ操作Xは適正と判断し、制御処理Bのタイマ操作Yは適正でないと判断する。 More specifically, the verification item analysis unit 104 refers to the control operation number information in FIGS. 12 to 15 and determines that the number of control operations is appropriate if the number of occurrences between related operations is balanced.
A method for determining each control operation is shown below.
Number of occurrences of "request operation" = number of occurrences of "response operation" (when the relation condition is YES)
Number of occurrences of “I / O read” = number of occurrences of “I / O write” (when the relational condition is YES)
Number of occurrences of "Allow interrupt" = Number of occurrences of "Interrupt prohibited" Number of occurrences of "Timer start" = Number of occurrences of "Timer end" + Number of occurrences of "Timeout" (in case of one shot)
Number of occurrences of "Timer start" = Number of occurrences of "Timer end" (if continued)
12 to 15, the verification item analysis unit 104 determines that the cooperative operation X of the control process A is appropriate, and also determines that the cooperative operation Y of the control process B is appropriate.
Further, it is determined that the I / O operation X of the control process A is not appropriate.
Further, it is determined that the interrupt operation X of the control process A is appropriate, and the interrupt operation Y of the control process B is determined not appropriate.
It is determined that the timer operation X of the control process A is appropriate and the timer operation Y of the control process B is not appropriate.
 また、検証項目解析部104は、図16の制御信号アクセスログを参照し、制御処理A等による競合制御信号へのアクセスの間に他の処理による競合制御信号へのアクセスが混在していなければ、割込み制御が適正と判断する。
 図16の例では、検証項目解析部104は、競合制御信号である状態変数1、状態変数2、状態変数3に着目する。
 図16の例では、制御処理Aからこれらの状態変数へのアクセス(No.2、No.4、No.5)の間に、割込み処理から状態変数1へのアクセス(No.3)が混在しているので、検証項目解析部104は、割込み禁止想定タイミングにおいて適正に割込みが禁止されなかったと判断する。
 つまり、検証項目解析部104は、複数の割込み候補タイミングのうち、制御処理Aから状態変数1、状態変数2、状態変数3へのアクセスの合間にあたるタイミングを割込み禁止想定タイミングとして選択し、割込み禁止想定タイミングに状態変数1、状態変数2、状態変数3のいずれかに対して他の処理からのアクセスがあったか否かを検査する。
 そして、検証項目解析部104は、割込み禁止想定タイミングに状態変数1、状態変数2、状態変数3のいずれかに対して他の処理からのアクセスがあれば、適正に割込みが禁止されなかったと判断する。 Further, the verification item analysis unit 104 refers to the control signal access log in FIG. 16, and access to the contention control signal by other processing is not mixed between access to the contention control signal by the control processing A or the like. Judge that interrupt control is appropriate.
In the example of FIG. 16, the verification item analysis unit 104 pays attention to the state variable 1, the state variable 2, and the state variable 3 that are competition control signals.
In the example of FIG. 16, the access from the interrupt process to the state variable 1 (No. 3) is mixed between the access from the control process A to these state variables (No. 2, No. 4, No. 5). Therefore, the verification item analysis unit 104 determines that the interrupt has not been properly prohibited at the expected interrupt prohibition timing.
That is, the verification item analysis unit 104 selects the timing between the access from the control process A to the state variable 1, the state variable 2, and the state variable 3 among the plurality of interrupt candidate timings as the interrupt prohibition assumption timing, It is checked whether or not any of the state variable 1, the state variable 2, and the state variable 3 has been accessed from another process at the assumed timing.
Then, the verification item analysis unit 104 determines that the interrupt is not properly prohibited if any of the state variable 1, the state variable 2, and the state variable 3 is accessed from other processing at the interrupt prohibition assumption timing. To do.
 また、検証項目解析部104は、制御信号アクセスログに示されるアクセス値が、客先仕様書、制御仕様書、関数仕様書など実装コード500を作成するための入力成果物に照らして正しいかどうかを判断する。 In addition, the verification item analysis unit 104 determines whether or not the access value indicated in the control signal access log is correct in view of an input product for creating the implementation code 500 such as a customer specification, control specification, and function specification. Judging.
 そして、検証項目解析部104は、検証レポートを出力する。
 検証レポートには、少なくとも、検証項目解析部104により適正と判断されなかった項目(制御操作回数、割込み制御)が記述される。
 例えば、シミュレータ装置100の利用者は、シミュレータ装置100により生成された検証レポートを用いて、ISO26262認証取得のマイクロコンピュータ・エミュレータで実装コードの動作確認を行う。
 このようにすると、実装コードを容易にISO26262規格に適合させることができる。 Then, the verification item analysis unit 104 outputs a verification report.
In the verification report, at least items (control operation count, interrupt control) that are not determined to be appropriate by the verification item analysis unit 104 are described.
For example, the user of the simulator device 100 uses the verification report generated by the simulator device 100 to check the operation of the mounted code with a microcomputer emulator that has acquired ISO 26262 certification.
In this way, the mounting code can be easily adapted to the ISO26262 standard.
 本実施の形態に係るシミュレータ装置100によれば、以下の効果を得ることができる。 According to the simulator device 100 according to the present embodiment, the following effects can be obtained.
 実装コードを計算機上で動作させて検証するため、従来技術のように専用記述を生成する必要がない。
 このため、実装コードと専用記述との一致性保証が不要であり、検証結果の正しさの保証が容易である。 Since the implementation code is operated and verified on the computer, it is not necessary to generate a dedicated description as in the prior art.
Therefore, it is not necessary to guarantee the consistency between the implementation code and the dedicated description, and it is easy to guarantee the correctness of the verification result.
 I/Oデバイス模擬プログラムの実行によりS/Wへの入力シーケンスと割込みポイントを網羅的に実行することで、H/WとS/Wの並行動作による処理のバリエーションをもれなく検証できる。 By exhaustively executing the input sequence and interrupt points to the S / W by executing the I / O device simulation program, it is possible to verify all processing variations due to the parallel operation of H / W and S / W.
 H/W-S/Wインタフェースに関する不具合を単体試験で検出することで、S/W結合試験以降からの手戻り工数を削減できる。 Detecting defects related to the H / W-S / W interface by unit testing can reduce the number of reworking steps after the S / W coupling test.
 以上、本実施の形態では、
 実装コードと連携変数を解析して入力シーケンスと割込みポイントからなる検証シナリオを作成する構成と、
 スケジューラ設定で指定する起動周期と起動順序に従って実装コードを実行する構成と、
 スケジューラ設定と検証シナリオに従って、I/Oデバイス模擬プログラムを実行する構成と、
 I/Oデバイス状態情報で指定するタイマ種別、タイマ状態、およびタイマ値に従ってH/Wタイマの動作を模擬する構成と、
 実装コードの実行中の制御操作を監視して制御操作回数を記録する構成と、
 実装コードの実行中の制御信号へのアクセスを監視して制御信号アクセスログを記録する構成と、
 検証シナリオとI/Oデバイス状態情報で指定する割込み状態に従ってH/W割込みの動作を模擬する構成と、
 制御操作回数の記録において要求と応答が正しく対応するかチェックする構成と、
 制御信号アクセスログの記録において競合制御信号に排他的にアクセスしているかを検証する構成と、
 制御操作回数と制御信号アクセスログのチェック結果から検証レポートを作成する構成と、
を備えたソフトウェア並行動作検証装置を説明した。 As described above, in the present embodiment,
A configuration that analyzes the implementation code and linkage variables to create a verification scenario consisting of an input sequence and interrupt points,
Configuration that executes the implementation code according to the startup cycle and startup order specified in the scheduler settings,
A configuration for executing an I / O device simulation program according to a scheduler setting and a verification scenario;
A configuration for simulating the operation of the H / W timer according to the timer type, timer status, and timer value specified by the I / O device status information;
A configuration that monitors the control operation during execution of the implementation code and records the number of control operations,
A configuration for monitoring the access to the control signal during execution of the implementation code and recording the control signal access log,
A configuration for simulating H / W interrupt operation according to the verification scenario and the interrupt status specified by the I / O device status information;
A configuration for checking whether a request and a response correspond correctly in recording the number of control operations;
A configuration for verifying whether or not the conflicting control signal is exclusively accessed in the recording of the control signal access log; and
A configuration for creating a verification report from the number of control operations and control signal access log check results,
A software parallel operation verification apparatus provided with the above has been described.
 実施の形態2.
 実施の形態1では、検証対象の制御処理を常時動作させて実装コード500を検証する方法を説明した。
 本実施の形態では、検証対象の制御処理を動的に生成又は削除して実装コード500を検証する方法を説明する。 Embodiment 2. FIG.
In the first embodiment, the method of verifying the mounting code 500 by constantly operating the control process to be verified has been described.
In the present embodiment, a method for verifying the implementation code 500 by dynamically generating or deleting a control process to be verified will be described.
 本実施の形態では、図9のスケジューラ設定に代えて、図17のスケジューラ設定を用いる。
 図17のスケジューラ設定では、図9のスケジューラ設定と比較して、起動トリガと起動状態の欄が追加されている。
 起動トリガの欄には、制御処理を起動又は終了するためのイベントが示される。
 図17の例では、連携信号、I/Oポート、状態変数、カウンタが記述される。
 図17の例では、制御処理Cは、例えば、所定の連携信号251を入力するイベントが発生した際に、動作を開始する。 In the present embodiment, the scheduler setting of FIG. 17 is used instead of the scheduler setting of FIG.
In the scheduler setting of FIG. 17, compared with the scheduler setting of FIG. 9, columns of an activation trigger and an activation state are added.
An event for starting or ending the control process is shown in the start trigger column.
In the example of FIG. 17, a cooperation signal, an I / O port, a state variable, and a counter are described.
In the example of FIG. 17, the control process C starts its operation when an event for inputting a predetermined cooperation signal 251 occurs, for example.
 実装コード実行部1011は、起動状態が「常時」になっている制御処理とハードウェアドライバ203を周期的に実行する。
 そして、ある制御処理の起動トリガに合致する状態が発生したら、起動状態が「開始」であれば、実装コード実行部1011は、その制御処理の周期的な実行を開始する。
 また、ある制御処理の起動トリガに合致する状態が発生したら、起動状態が「終了」であれば、実装コード実行部1011は、その制御処理の周期的な実行を終了する。 The mounted code execution unit 1011 periodically executes the control process and the hardware driver 203 whose activation state is “always”.
When a state that matches a start trigger of a certain control process occurs, if the start state is “start”, the implementation code execution unit 1011 starts the periodic execution of the control process.
Further, when a state that matches a start trigger of a certain control process occurs, if the start state is “end”, the mounted code execution unit 1011 ends the periodic execution of the control process.
 以上のように、本実施の形態によれば、限られた時間の間だけ動作する制御処理が含まれる実装コードの検証も行うことができる。 As described above, according to the present embodiment, it is possible to verify the implementation code including the control process that operates only for a limited time.
 以上、本実施の形態では、スケジューラ設定にあらかじめ起動トリガを設定しておき、実装コードを実行中に起動トリガに合致する状態が発生したら、該当する制御処理を動的に生成し、また、該当する制御処理を終了させるソフトウェア並行動作検証装置を説明した。 As described above, in this embodiment, a start trigger is set in advance in the scheduler setting, and when a state that matches the start trigger occurs during execution of the implementation code, the corresponding control process is dynamically generated, and the corresponding A software parallel operation verification device that terminates the control processing to be performed has been described.
 実施の形態3.
 実施の形態1では、制御処理ごとに制御操作回数を検証する方法を説明した。
 本実施の形態では、複数の制御処理をまとめたグループ単位で制御操作回数を検証する方法を説明する。
 つまり、本実施の形態では、検証項目解析部104は、複数の制御処理にまたがって、制御操作回数間の関係が適正であるかを検証する。 Embodiment 3 FIG.
In the first embodiment, the method of verifying the number of control operations for each control process has been described.
In the present embodiment, a method for verifying the number of control operations in units of groups in which a plurality of control processes are combined will be described.
That is, in this embodiment, the verification item analysis unit 104 verifies whether the relationship between the number of control operations is appropriate across a plurality of control processes.
 ある制御処理が割込み許可し、他の制御処理が割込み禁止するというように、複数の制御処理の中で要求・応答の対応を取る場合がある。
 このような場合に対応させるため、本実施の形態に係るシミュレータ装置100では、制御処理のグループを作成して、グループ内で要求操作の回数と応答操作の回数が等しければ適正と判定する。
 本実施の形態では、実施の形態1と同様に、割込み模擬部105は、制御処理の単位で制御操作回数を計数するが、検証項目解析部104による検証は、制御処理のグループ単位で行う。
 本実施の形態では、例えば、図18に示す制御操作回数情報を用いる。
 図18では、図14の制御操作回数情報(割込み操作)に対して、「グループ名」の欄が追加されている。
 つまり、図18の例では、制御処理Aと制御処理Bがグループ化されている。
 図18では、制御操作回数情報(割込み操作)だけを示すが、制御操作回数情報(連携操作)、制御操作回数情報(I/O操作)、制御操作回数情報(タイマ操作)でも同様にグループの情報を追加する。
 図18では、制御処理A及び制御処理Bのそれぞれでは、割込み許可の回数≠割込み禁止の回数になっているが、グループαの単位で検証すると、割込み許可の回数=割込み禁止の回数となっているので、検証項目解析部104は、制御操作回数が適正であると判断する。 There is a case where a request / response is dealt with in a plurality of control processes such that a certain control process permits an interrupt and another control process prohibits an interrupt.
In order to deal with such a case, the simulator device 100 according to the present embodiment creates a group of control processes, and determines that the number is appropriate if the number of requested operations and the number of response operations are equal in the group.
In the present embodiment, as in the first embodiment, the interrupt simulation unit 105 counts the number of control operations in units of control processing, but the verification by the verification item analysis unit 104 is performed in units of control processing.
In the present embodiment, for example, the control operation frequency information shown in FIG. 18 is used.
In FIG. 18, a “group name” column is added to the control operation count information (interrupt operation) in FIG. 14.
That is, in the example of FIG. 18, the control process A and the control process B are grouped.
In FIG. 18, only the control operation count information (interrupt operation) is shown, but the control operation count information (cooperation operation), the control operation count information (I / O operation), and the control operation count information (timer operation) are also similar. Add information.
In FIG. 18, in each of the control process A and the control process B, the number of interrupts allowed is not equal to the number of interrupts disabled. However, when verified in units of group α, the number of interrupts allowed = the number of interrupts disabled. Therefore, the verification item analysis unit 104 determines that the number of control operations is appropriate.
 このように、本実施の形態では、制御操作の発生状況に合わせて柔軟な検証を行うことができる。 Thus, in this embodiment, flexible verification can be performed according to the occurrence state of the control operation.
 以上、本実施の形態では、複数の制御処理をまとめたグループ単位で、複数の制御操作の回数が正しく対応するかを検証するソフトウェア並行動作検証装置を説明した。 As described above, in the present embodiment, the software parallel operation verification device that verifies whether the number of the plurality of control operations corresponds correctly in a group unit in which the plurality of control processes are collected has been described.
 最後に、実施の形態1~3に示したシミュレータ装置100のハードウェア構成例を図20を参照して説明する。
 シミュレータ装置100はコンピュータであり、シミュレータ装置100の各要素をプログラムで実現することができる。
 シミュレータ装置100のハードウェア構成としては、バスに、演算装置901、外部記憶装置902、主記憶装置903、通信装置904、入出力装置905が接続されている。 Finally, a hardware configuration example of the simulator apparatus 100 shown in the first to third embodiments will be described with reference to FIG.
The simulator device 100 is a computer, and each element of the simulator device 100 can be realized by a program.
As a hardware configuration of the simulator device 100, an arithmetic device 901, an external storage device 902, a main storage device 903, a communication device 904, and an input / output device 905 are connected to the bus.
 演算装置901は、プログラムを実行するCPUである。
 外部記憶装置902は、例えばROM(Read Only Memory)やフラッシュメモリ、ハードディスク装置である。
 主記憶装置903は、RAM(Random Access Memory)である。
 図1に示す「~記憶部」は、外部記憶装置902又は主記憶装置903で実現される。
 通信装置904は、例えばNIC(Network Interface Card)である。
 入出力装置905は、例えばマウス、キーボード、ディスプレイ装置である。 The arithmetic device 901 is a CPU that executes a program.
The external storage device 902 is, for example, a ROM (Read Only Memory), a flash memory, or a hard disk device.
The main storage device 903 is a RAM (Random Access Memory).
1 is implemented by the external storage device 902 or the main storage device 903.
The communication device 904 is, for example, a NIC (Network Interface Card).
The input / output device 905 is, for example, a mouse, a keyboard, or a display device.
 プログラムは、通常は外部記憶装置902に記憶されており、主記憶装置903にロードされた状態で、順次演算装置901に読み込まれ、実行される。
 プログラムは、図1に示す「~部」(「~記憶部」を除く。以下でも同様)として説明している機能を実現するプログラムである。
 更に、外部記憶装置902にはオペレーティングシステム(OS)も記憶されており、OSの少なくとも一部が主記憶装置903にロードされ、演算装置901はOSを実行しながら、図1に示す「~部」の機能を実現するプログラムを実行する。
 また、実施の形態1~3の説明において、「~の判断」、「~の判定」、「~の検証」、「~の抽出」、「~の検出」、「~の指定」、「~の設定」、「~の計数」、「~の模擬」、「~の実行」、「~の選択」、「~の生成」、「~の入力」、「~の出力」等として説明している処理の結果を示す情報やデータや信号値や変数値が主記憶装置903にファイルとして記憶されている。
 また、暗号鍵・復号鍵や乱数値やパラメータが、主記憶装置903にファイルとして記憶されてもよい。 The program is normally stored in the external storage device 902, and is loaded into the main storage device 903 and sequentially read into the arithmetic device 901 and executed.
The program is a program that realizes the functions described as “˜unit” (excluding “˜storage unit” shown in FIG. 1; the same applies hereinafter).
Further, an operating system (OS) is also stored in the external storage device 902. At least a part of the OS is loaded into the main storage device 903, and the arithmetic device 901 executes “OS” shown in FIG. ”Is executed.
In the description of the first to third embodiments, “determining”, “determining”, “verifying”, “extracting”, “detecting”, “specifying”, “ ”Setting”, “Count of”, “Simulation of”, “Execution of”, “Selection of”, “Generation of”, “Input of”, “Output of”, etc. Information, data, signal values, and variable values indicating the results of processing are stored in the main storage device 903 as files.
Further, the encryption key / decryption key, random number value, and parameter may be stored in the main storage device 903 as a file.
 なお、図20の構成は、あくまでもシミュレータ装置100のハードウェア構成の一例を示すものであり、シミュレータ装置100のハードウェア構成は図20に記載の構成に限らず、他の構成であってもよい。 Note that the configuration of FIG. 20 is merely an example of the hardware configuration of the simulator device 100, and the hardware configuration of the simulator device 100 is not limited to the configuration illustrated in FIG. 20, but may be other configurations. .
 また、実施の形態1~3に示す手順により、本発明に係るプログラム検証方法を実現可能である。 Further, the program verification method according to the present invention can be realized by the procedure shown in the first to third embodiments.
 以上、本発明の実施の形態について説明したが、これらの実施の形態のうち、2つ以上を組み合わせて実施しても構わない。
 あるいは、これらの実施の形態のうち、1つを部分的に実施しても構わない。
 あるいは、これらの実施の形態のうち、2つ以上を部分的に組み合わせて実施しても構わない。
 なお、本発明は、これらの実施の形態に限定されるものではなく、必要に応じて種々の変更が可能である。 As mentioned above, although embodiment of this invention was described, you may implement in combination of 2 or more among these embodiment.
Alternatively, one of these embodiments may be partially implemented.
Alternatively, two or more of these embodiments may be partially combined.
In addition, this invention is not limited to these embodiment, A various change is possible as needed.
 100 シミュレータ装置、101 スケジューラ、102 検証シナリオ作成部、103 制御監視部、104 検証項目解析部、105 割込み模擬部、106 タイマ模擬部、107 連携変数記憶部、108 プログラム記憶部、109 スケジューラ設定記憶部、110 検証シナリオ記憶部、111 I/Oデバイス状態記憶部、112 制御操作回数記憶部、113 制御信号アクセスログ記憶部、114 検証レポート記憶部、115 制御操作情報記憶部、1011 実装コード実行部、1012 I/Oデバイス模擬プログラム実行部、200 制御機器、201 制御処理A、202 制御処理B、203 ハードウェアドライバ、204 I/Oポート、205 I/Oポート、206 割込み、207 タイマ、2031 I/O処理、2032 割込み処理、2033 タイマ処理、251 連携信号、252 I/Oポート信号、253 状態変数、254 カウンタ信号、300 センサデバイス、400 駆動デバイス、500 実装コード、600 I/Oデバイス模擬プログラム。 100 simulator device, 101 scheduler, 102 verification scenario creation unit, 103 control monitoring unit, 104 verification item analysis unit, 105 interrupt simulation unit, 106 timer simulation unit, 107 linked variable storage unit, 108 program storage unit, 109 scheduler setting storage unit , 110 Verification scenario storage unit, 111 I / O device state storage unit, 112 Control operation count storage unit, 113 Control signal access log storage unit, 114 Verification report storage unit, 115 Control operation information storage unit, 1011 Implementation code execution unit, 1012 I / O device simulation program execution unit, 200 control device, 201 control process A, 202 control process B, 203 hardware driver, 204 I / O port, 205 I / O port, 206 interrupt, 207 timer 2031 I / O processing, 2032 interrupt processing, 2033 timer processing, 251 linkage signal, 252 I / O port signal, 253 status variable, 254 counter signal, 300 sensor device, 400 driving device, 500 mounting code, 600 I / O device Mock program.

Claims (14)

  1.  割込みに関する設定を行う割込み設定処理が含まれる検証対象プログラムを検証するプログラム検証装置であって、
     前記検証対象プログラムを解析し、前記検証対象プログラムを実行する機器にて前記検証対象プログラムが実行された際に割込みが発生する可能性がある複数のタイミングをそれぞれ割込み候補タイミングとして指定する割込み候補タイミング指定部と、
     前記検証対象プログラムを実行するプログラム実行部と、
     前記プログラム実行部による前記検証対象プログラムの実行時に、前記割込み設定処理により前記割込み候補タイミングに割込みを禁止する設定が行われていれば、前記割込み候補タイミングに割込みを発生させず、前記割込み設定処理により前記割込み候補タイミングに割込みを許可する設定が行われていれば、前記割込み候補タイミングに割込みを発生させる割込み発生部と、
     前記複数の割込み候補タイミングのうち、割込みを禁止することが適正であると想定される割込み候補タイミングを割込み禁止想定タイミングとして選択し、前記検証対象プログラムの実行結果を解析し、前記割込み禁止想定タイミングに前記割込み設定処理により割込みを禁止する設定が行われたか否かを判断する検証部とを有することを特徴とするプログラム検証装置。     A program verification device for verifying a verification target program including an interrupt setting process for performing settings related to an interrupt,
    Interrupt candidate timing that analyzes the verification target program and designates a plurality of timings at which an interrupt may occur when the verification target program is executed by a device that executes the verification target program as interrupt candidate timings, respectively A designated part;
    A program execution unit for executing the verification target program;
    When the program execution unit executes the verification target program, if the interrupt setting process is set to prohibit interrupt at the interrupt candidate timing, the interrupt setting process does not generate an interrupt at the interrupt candidate timing. If the setting for permitting an interrupt at the interrupt candidate timing is performed by the interrupt generation unit that generates an interrupt at the interrupt candidate timing,
    Among the plurality of interrupt candidate timings, an interrupt candidate timing that is assumed to be appropriate to prohibit interrupts is selected as an interrupt prohibition assumption timing, the execution result of the verification target program is analyzed, and the interrupt prohibition assumption timing is selected. And a verification unit for determining whether or not the setting for prohibiting the interrupt is performed by the interrupt setting process.
  2.  前記プログラム実行部は、
     変数にアクセスする処理である変数アクセス処理が含まれる検証対象プログラムを実行し、
     前記割込み候補タイミング指定部は、
     前記変数アクセス処理によりアクセスされる変数であって前記割込み発生部が割込みを発生させる際に前記割込み発生部によりアクセスされる変数を競合変数として抽出し、
     前記変数アクセス処理による前記競合変数へのアクセスの前後のタイミングをそれぞれ割込み候補タイミングとして指定することを特徴とする請求項1に記載のプログラム検証装置。     The program execution unit is
    Execute the verification target program that includes the variable access process that is the process to access the variable,
    The interrupt candidate timing designation unit
    A variable that is accessed by the variable access process and that is accessed by the interrupt generator when the interrupt generator generates an interrupt, is extracted as a conflict variable;
    The program verification apparatus according to claim 1, wherein timings before and after access to the contention variable by the variable access processing are respectively designated as interrupt candidate timings.
  3.  前記検証部は、
     前記複数の割込み候補タイミングのうち、前記変数アクセス処理による前記競合変数へのアクセスの合間にあたる割込み候補タイミングを前記割込み禁止想定タイミングとして選択し、前記割込み禁止想定タイミングに前記割込み設定処理により割込みを禁止する設定が行われたか否かを判断することを特徴とする請求項2に記載のプログラム検証装置。     The verification unit
    Among the plurality of interrupt candidate timings, an interrupt candidate timing that falls between accesses to the conflicting variable by the variable access processing is selected as the interrupt prohibition assumption timing, and interrupts are prohibited by the interrupt setting processing at the interrupt prohibition assumption timing. The program verifying apparatus according to claim 2, wherein it is determined whether or not a setting to be performed has been performed.
  4.  前記検証部は、
     前記検証対象プログラムの実行結果として前記競合変数へのアクセス履歴を解析し、前記変数アクセス処理による前記競合変数へのアクセスの合間に割込みによる前記競合変数へのアクセスがあったことを検出した場合に、前記割込み設定処理により前記割込み禁止想定タイミングに割込みを禁止する設定が行われなかったと判断することを特徴とする請求項3に記載のプログラム検証装置。     The verification unit
    When an access history to the conflict variable is analyzed as an execution result of the verification target program, and it is detected that there is an access to the conflict variable by an interrupt between accesses to the conflict variable by the variable access processing 4. The program verification apparatus according to claim 3, wherein it is determined that the setting for prohibiting an interrupt at the interrupt prohibition assumed timing has not been performed by the interrupt setting process.
  5.  検証対象プログラムを検証するプログラム検証装置であって、
     前記検証対象プログラムの実行により発生する複数のイベントのうち関連のある2以上のイベントがそれぞれ関連イベントとして相互に対応付けられて示され、前記検証対象プログラムが適正な場合の関連イベント間の発生回数の関係が示される関連イベント情報を記憶する関連イベント情報記憶部と、
     前記検証対象プログラムを実行するプログラム実行部と、
     前記プログラム実行部による前記検証対象プログラムの実行中の各関連イベントの発生回数を計数する計数部と、
     前記計数部により計数された発生回数の関連イベント間の関係が前記関連イベント情報に示されている関係に合致するか否かを判断する検証部とを有することを特徴とするプログラム検証装置。     A program verification device for verifying a verification target program,
    Number of occurrences between related events when two or more related events among a plurality of events generated by execution of the verification target program are associated with each other as related events and the verification target program is appropriate A related event information storage unit for storing related event information indicating the relationship of
    A program execution unit for executing the verification target program;
    A counting unit that counts the number of occurrences of each related event during execution of the verification target program by the program execution unit;
    A program verification apparatus comprising: a verification unit that determines whether a relationship between related events of the number of occurrences counted by the counting unit matches a relationship indicated in the related event information.
  6.  前記関連イベント情報記憶部は、
     関連イベント間の発生回数の関係として、関連イベント間で発生回数がつり合うことが示される関連イベント情報を記憶し、
     前記検証部は、
     前記計数部により計数された発生回数が関連イベント間でつり合っているか否かを判断することを特徴とする請求項5に記載のプログラム検証装置。     The related event information storage unit
    Stores related event information indicating that the number of occurrences is balanced between related events as the relationship of the number of occurrences between related events,
    The verification unit
    6. The program verification apparatus according to claim 5, wherein it is determined whether or not the number of occurrences counted by the counting unit is balanced among related events.
  7.  前記関連イベント情報記憶部は、
     前記検証対象プログラムに含まれる制御処理の実行により発生する、関連する2以上のイベント、
     前記検証対象プログラムに含まれるI/O(Input/Output)処理の実行により発生する、関連する2以上のイベント、
     前記検証対象プログラムに含まれる割込み処理の実行により発生する、関連する2以上のイベント、
     前記検証対象プログラムに含まれるタイマ処理の実行により発生する、関連する2以上のイベントのうちの少なくともいずれかが関連イベントとして示される関連イベント情報を記憶することを特徴とする請求項5又は6に記載のプログラム検証装置。     The related event information storage unit
    Two or more related events generated by execution of the control process included in the verification target program;
    Two or more related events generated by executing an I / O (Input / Output) process included in the verification target program;
    Two or more related events generated by execution of an interrupt process included in the verification target program;
    7. The related event information in which at least one of two or more related events generated by execution of a timer process included in the verification target program is indicated as a related event is stored. The program verification apparatus as described.
  8.  前記プログラム実行部は、
     I/O(Input/Output)デバイスを制御する制御機器の動作アルゴリズムが記述された検証対象プログラムを、前記I/Oデバイスの動作及び前記制御機器の前記I/Oデバイスに対するインタフェースの動作を模擬するI/Oデバイス模擬プログラムとともに、実行することを特徴とする請求項1~7のいずれかに記載のプログラム検証装置。     The program execution unit is
    A verification target program in which an operation algorithm of a control device that controls an I / O (Input / Output) device is described simulates the operation of the I / O device and the operation of the interface of the control device to the I / O device. 8. The program verification apparatus according to claim 1, wherein the program verification apparatus is executed together with the I / O device simulation program.
  9.  前記プログラム実行部は、
     複数の制御処理が含まれ、前記複数の制御処理のうちの特定の制御処理に対して起動イベントが定義されている検証対象プログラムを実行し、
     前記検証対象プログラムの実行中に、前記特定の制御処理の起動イベントが発生した際に、前記特定の制御処理を起動することを特徴とする請求項1~8のいずれかに記載のプログラム検証装置。     The program execution unit is
    Including a plurality of control processes, executing a verification target program in which a start event is defined for a specific control process among the plurality of control processes;
    9. The program verification apparatus according to claim 1, wherein the specific control process is started when a start event of the specific control process occurs during execution of the verification target program. .
  10.  前記プログラム実行部は、
     複数の制御処理が含まれ、前記複数の制御処理のうちの特定の制御処理に対して終了イベントが定義されている検証対象プログラムを実行し、
     前記検証対象プログラムの実行中に、前記特定の制御処理の終了イベントが発生した際に、前記特定の制御処理を終了することを特徴とする請求項1~9のいずれかに記載のプログラム検証装置。     The program execution unit is
    Including a plurality of control processes, executing a verification target program in which an end event is defined for a specific control process among the plurality of control processes;
    10. The program verification apparatus according to claim 1, wherein when the end event of the specific control process occurs during the execution of the verification target program, the specific control process is ended. .
  11.  前記プログラム実行部は、
     複数の制御処理が含まれる検証対象プログラムを実行し、
     前記計数部は、
     前記プログラム実行部による前記検証対象プログラムの実行中の各関連イベントの発生回数を制御処理の単位で計数し、
     前記検証部は、
     2以上の制御処理にまたがって、前記計数部により計数された発生回数の関連イベント間の関係が前記関連イベント情報に示されている関係に合致するか否かを判断することを特徴とする請求項5に記載のプログラム検証装置。     The program execution unit is
    Execute the verification target program including multiple control processes,
    The counting unit is
    Counting the number of occurrences of each related event during execution of the verification target program by the program execution unit in units of control processing,
    The verification unit
    A determination is made as to whether or not the relationship between the related events of the number of occurrences counted by the counting unit matches the relationship indicated in the related event information across two or more control processes. Item 6. The program verification device according to Item 5.
  12.  コンピュータが、割込みに関する設定を行う割込み設定処理が含まれる検証対象プログラムを検証するプログラム検証方法であって、
     前記コンピュータが、前記検証対象プログラムを解析し、前記検証対象プログラムを実行する機器にて前記検証対象プログラムが実行された際に割込みが発生する可能性がある複数のタイミングをそれぞれ割込み候補タイミングとして指定し、
     前記コンピュータが、前記検証対象プログラムを実行し、
     前記コンピュータが、前記検証対象プログラムの実行時に、前記割込み設定処理により前記割込み候補タイミングに割込みを禁止する設定が行われていれば、前記割込み候補タイミングに割込みを発生させず、前記割込み設定処理により前記割込み候補タイミングに割込みを許可する設定が行われていれば、前記割込み候補タイミングに割込みを発生させ、
     前記コンピュータが、前記複数の割込み候補タイミングのうち、割込みを禁止することが適正であると想定される割込み候補タイミングを割込み禁止想定タイミングとして選択し、前記検証対象プログラムの実行結果を解析し、前記割込み禁止想定タイミングに前記割込み設定処理により割込みを禁止する設定が行われたか否かを判断することを特徴とするプログラム検証方法。     A computer verification method for verifying a verification target program including an interrupt setting process for performing settings related to an interrupt,
    The computer analyzes the verification target program and designates a plurality of timings at which an interrupt may occur when the verification target program is executed on a device that executes the verification target program as interrupt candidate timings, respectively. And
    The computer executes the verification target program,
    If the computer is set to prohibit interrupts at the interrupt candidate timing by the interrupt setting process when the verification target program is executed, the interrupt setting process does not generate an interrupt and the interrupt setting process If a setting is made to allow an interrupt at the interrupt candidate timing, an interrupt is generated at the interrupt candidate timing,
    The computer selects an interrupt candidate timing that is assumed to be appropriate to prohibit an interrupt from the plurality of interrupt candidate timings as an interrupt prohibition assumption timing, analyzes the execution result of the verification target program, and A program verification method comprising: determining whether or not a setting for prohibiting an interrupt has been made by the interrupt setting process at an interrupt prohibition assumption timing.
  13.  コンピュータが、検証対象プログラムを検証するプログラム検証方法であって、
     前記検証対象プログラムの実行により発生する複数のイベントのうち関連のある2以上のイベントがそれぞれ関連イベントとして相互に対応付けられて示され、前記検証対象プログラムが適正な場合の関連イベント間の発生回数の関係が示される関連イベント情報を、前記コンピュータが、所定の記憶領域から読み出し、
     前記コンピュータが、前記検証対象プログラムを実行し、
     前記コンピュータが、前記検証対象プログラムの実行中の各関連イベントの発生回数を計数し、
     前記コンピュータが、計数された発生回数の関連イベント間の関係が前記関連イベント情報に示されている関係に合致するか否かを判断することを特徴とするプログラム検証方法。     A computer verification method for verifying a verification target program,
    Number of occurrences between related events when two or more related events among a plurality of events generated by execution of the verification target program are associated with each other as related events and the verification target program is appropriate The related event information indicating the relationship is read from a predetermined storage area by the computer,
    The computer executes the verification target program,
    The computer counts the number of occurrences of each related event during execution of the verification target program,
    The program verification method, wherein the computer determines whether or not a relationship between the related events of the counted number of occurrences matches a relationship indicated in the related event information.
  14.  コンピュータを、請求項1又は5に記載されたプログラム検証装置として機能させることを特徴とするプログラム。 A program that causes a computer to function as the program verification device according to claim 1 or 5.
PCT/JP2013/066381 2013-06-13 2013-06-13 Program verification device, program verification method, and program WO2014199496A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
JP2015522353A JP5951130B2 (en) 2013-06-13 2013-06-13 Program verification apparatus, program verification method, and program
PCT/JP2013/066381 WO2014199496A1 (en) 2013-06-13 2013-06-13 Program verification device, program verification method, and program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2013/066381 WO2014199496A1 (en) 2013-06-13 2013-06-13 Program verification device, program verification method, and program

Publications (1)

Publication Number Publication Date
WO2014199496A1 true WO2014199496A1 (en) 2014-12-18

Family

ID=52021826

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2013/066381 WO2014199496A1 (en) 2013-06-13 2013-06-13 Program verification device, program verification method, and program

Country Status (2)

Country Link
JP (1) JP5951130B2 (en)
WO (1) WO2014199496A1 (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH07249012A (en) * 1993-07-07 1995-09-26 Fujitsu Ltd Simulator
JPH09319613A (en) * 1996-03-29 1997-12-12 Toshiba Corp Device and method for supporting program development
JP2005309800A (en) * 2004-04-22 2005-11-04 Matsushita Electric Ind Co Ltd Software verification method and method for forming verification data
US7505952B1 (en) * 2003-10-20 2009-03-17 The Board Of Trustees Of The Leland Stanford Junior University Statistical inference of static analysis rules
JP2010160704A (en) * 2009-01-08 2010-07-22 Toshiba Corp Debug support device
JP2012014523A (en) * 2010-07-01 2012-01-19 Hitachi Ltd Subroutine execution monitoring device and subroutine execution monitoring method
JP2013045177A (en) * 2011-08-22 2013-03-04 Canon Inc Information processing device and program

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH07249012A (en) * 1993-07-07 1995-09-26 Fujitsu Ltd Simulator
JPH09319613A (en) * 1996-03-29 1997-12-12 Toshiba Corp Device and method for supporting program development
US7505952B1 (en) * 2003-10-20 2009-03-17 The Board Of Trustees Of The Leland Stanford Junior University Statistical inference of static analysis rules
JP2005309800A (en) * 2004-04-22 2005-11-04 Matsushita Electric Ind Co Ltd Software verification method and method for forming verification data
JP2010160704A (en) * 2009-01-08 2010-07-22 Toshiba Corp Debug support device
JP2012014523A (en) * 2010-07-01 2012-01-19 Hitachi Ltd Subroutine execution monitoring device and subroutine execution monitoring method
JP2013045177A (en) * 2011-08-22 2013-03-04 Canon Inc Information processing device and program

Also Published As

Publication number Publication date
JP5951130B2 (en) 2016-07-13
JPWO2014199496A1 (en) 2017-02-23

Similar Documents

Publication Publication Date Title
US6678625B1 (en) Method and apparatus for a multipurpose configurable bus independent simulation bus functional model
JP2018525697A (en) Method and environment for safely executing program instructions
De Schutter Better Software. Faster!: Best Practices in Virtual Prototyping
US9075911B2 (en) System and method for usage pattern analysis and simulation
Whittaker et al. Toward a more reliable theory of software reliability
US10997344B2 (en) ECU simulation device
US9792402B1 (en) Method and system for debugging a system on chip under test
Bognar et al. Mind the gap: Studying the insecurity of provably secure embedded trusted execution architectures
US20210374215A1 (en) Method for licensing a tool chain
US10592703B1 (en) Method and system for processing verification tests for testing a design under test
Li et al. Formalizing hardware/software interface specifications
US10592623B2 (en) Assertion statement check and debug
US20170061106A1 (en) Anti-reverse engineering unified process
JP5992107B2 (en) Program verification apparatus, program verification method, and program
EP3651022B1 (en) Tool verification system and method of verifying an unqualified component
JP5951130B2 (en) Program verification apparatus, program verification method, and program
US8560987B2 (en) Test functionality integrity verification for integrated circuit design
JP2828590B2 (en) Microprogram verification method
CN111368264A (en) Verification method of application program, computer device and mainboard thereof
JP5625942B2 (en) Design verification program, design verification device, and design verification method
WO2022162998A1 (en) Simulation device for electronic control unit
JP6949440B2 (en) Vector generator and vector generator program
JP2014071775A (en) System development support device and system development support method
CN112380108B (en) Full-automatic test method for partition space isolation
CN111708698B (en) Application program simulation recording method and related device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13886638

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2015522353

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13886638

Country of ref document: EP

Kind code of ref document: A1