WO2015087409A1 - Source code generation device, source code verification device, source code generation method, and source code generation program - Google Patents

Source code generation device, source code verification device, source code generation method, and source code generation program Download PDF

Info

Publication number
WO2015087409A1
WO2015087409A1 PCT/JP2013/083185 JP2013083185W WO2015087409A1 WO 2015087409 A1 WO2015087409 A1 WO 2015087409A1 JP 2013083185 W JP2013083185 W JP 2013083185W WO 2015087409 A1 WO2015087409 A1 WO 2015087409A1
Authority
WO
WIPO (PCT)
Prior art keywords
code
source code
scheduler
model
software specification
Prior art date
Application number
PCT/JP2013/083185
Other languages
French (fr)
Japanese (ja)
Inventor
佐藤 直人
宮崎 邦彦
クリシュナージ デサイ
伊藤 信治
アンドレアス フィアスト
ソン タイ ホアン
ディビッド ベイジン
Original Assignee
株式会社日立製作所
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 株式会社日立製作所 filed Critical 株式会社日立製作所
Priority to PCT/JP2013/083185 priority Critical patent/WO2015087409A1/en
Priority to JP2015552239A priority patent/JP6084706B2/en
Publication of WO2015087409A1 publication Critical patent/WO2015087409A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/30Creation or generation of source code
    • G06F8/35Creation or generation of source code model driven

Definitions

  • the present invention relates to technology for supporting software development, and more particularly to technology for generating source code from software specifications.
  • Patent Document 1 further discloses a method for generating a source code from the proven formal model. By generating source code from a certified formal model, it is possible to avoid troubles in manual source code development and reduce the effort of source code development. As a result, effects such as a reduction in software development man-hours and a reduction in software defects can be obtained.
  • Event-B which is a type of formal method
  • the formal model is described in a formal language with a high degree of abstraction that does not specify the control structure of the process (event) To do.
  • a general source code description language such as C language
  • a process control structure is described in detail. Therefore, in order to generate source code from a formal model that does not include the control structure as in the Event-B formal model, it is necessary to define the control structure.
  • Non-Patent Document 1 discloses a method that enables source code generation from a formal model described in the Event-B language by extending the Event-B language so that the control structure can be defined. . This method makes it possible to generate source code from a formal model that does not include the control structure. As a result, even when the software specification is proved by a formal model that does not include the control structure, an effect of reducing the software development man-hour by generating source code can be obtained.
  • the above-mentioned conventional technology makes it possible to define a control structure for a formal model and to generate source code from the formal model including the control structure.
  • the generation of the source code is realized by a tool. At this time, if there is an error in the implementation of the tool, there is a possibility that the error is also mixed in the generated source code.
  • Error here means that the generated source code is not the result of refining the software specification represented by the format model of the generation source, and does not realize the software specification.
  • test is effective for detecting the source code having the error, the test cannot always detect the error, and is not sufficient as a means for solving the problem.
  • a source code generation device is a source code generation device that generates a source code described in a programming language from a software specification described in a formal language.
  • the processing of the software specification that does not include a control structure, scheduler editing means for editing a scheduler that defines a control structure including at least an if conditional branch structure and a do loop structure, and the software specification and the edited scheduler,
  • Source code generation means for generating source code including at least an if conditional branch structure or do loop structure, and a scheduled model for generating a scheduled model including a control structure described in the formal language from the software specification and the edited scheduler Generating means; and
  • a flattened code generation means for generating a flattened code including a goto statement without including an if conditional branch structure and a do loop structure, from a software specification and an edited scheduler. Configured as a source code generator.
  • the present invention can also be understood as a source code generation method and a source code generation program performed by the source code generation device.
  • the present invention is configured as a source code certifying device that proves refinement and equivalence using data received from the source code generating device.
  • generation apparatus It is a block diagram which shows the hardware structural example of a source code generation apparatus. It is a block diagram which shows the structural example of a source code certification
  • This embodiment is applied to a source code generation device.
  • a Target code that is a source code to be generated from a Restricted model that is formally proof of the correctness of software specifications
  • a Scheduled model that is a formal model including a control structure is generated.
  • Generate Flattened code which is source code using goto statement instead of if branch and do loop.
  • the Scheduled model and the Flattened code play a role of bridging the difference regarding the presence / absence of the control structure between the Restricted model and the Target code and the difference in language.
  • the Target code is proved by proving the refinement relationship between the Restricted model and the Scheduled model, proving the equivalence between the Scheduled model and the Flattened code, and proving the equivalence between the Flattened code and the Target code.
  • the present embodiment since it is possible to detect that the Target code that is the generated source code has an error, it is possible to reduce defects in software that uses the Target code.
  • an input of a scheduler representing the control structure of the Restricted model process is received.
  • the scheduler can describe an if conditional branch structure, a do loop structure, and a sequential connection using events included in the Restricted model. Further, the scheduler can describe a pre-state and a post-state that are conditions to be satisfied before and after execution of the event, the if conditional branch structure, and the do loop structure.
  • the present embodiment it is possible to confirm that the control structure indicated by the scheduler is executable by confirming that there is no contradiction regarding the precondition and the postcondition in the scheduler.
  • the Scheduled model is not the result of refining the Restricted model. That is, the scheduler design error can be confirmed before generating the Scheduled model, the Flattened code, and the Target code. Therefore, according to the present embodiment, it is possible to reduce the number of reworking steps when there is a design error in the scheduler.
  • the Restricted model there is a restriction that variables and constants included in the Restricted model have an upper limit value and a lower limit value.
  • the Restricted model includes an arithmetic expression
  • the arithmetic expression has a restriction that a value exceeding the upper limit value and the lower limit value is not assigned to the variable.
  • the Restricted model is generated from a developed model that does not have the above-described restrictions. It can be proved that the Restricted model is a result of refinement of the developed model. Therefore, according to the present embodiment, it is possible to reduce the number of steps for creating the Restricted model from the Develop model in order to obtain the Target code.
  • FIG. 1 is a block diagram illustrating a configuration example of the source code generation device 201 in the present embodiment for Event-B.
  • the source code generation device 201 includes a model editing unit 101, a developed model holding unit 102, a model conversion unit 103, a restricted model holding unit 104, a code generation unit 105, a scheduled model holding unit 106, a flattened code holding unit 107, and a target code holding unit.
  • 108 model refinement proving unit 109, refined proving result holding unit 110, scheduler holding unit 111, scheduler editing unit 112, scheduler checking unit 113, intermediate equivalence equivalence proving unit 114, intermediate product proving result holding unit 115, code equivalence It includes a sex proof unit 116, a code proof result holding unit 117, and an intermediate product generation unit 118.
  • the model editing unit 101 accepts creation / editing of a developed model described in the Event-B language, and registers it in the developed model holding unit 102.
  • the Developed model is a formal model that includes variables and constants that do not have an upper limit or lower limit.
  • the model conversion unit 103 acquires the developed model from the developed model holding unit 102 and converts it to the restricted model described in the Event-B language.
  • An example of the conversion procedure is shown in FIG.
  • Variables and constants included in the Restricted model have upper and lower limits.
  • the Restricted model includes an arithmetic expression, the upper limit value and the lower limit value of the constant are prevented so that a value exceeding the upper limit value and the lower limit value is not assigned to the variable by the arithmetic expression. Is set.
  • the created Restricted model is registered in the Restricted model holding unit 104.
  • the code generation unit 105 acquires the Restricted model from the Restricted model holding unit 104, generates a Target code described in a programming language such as C language from the acquired Restricted model, and registers the Target code in the Target code holding unit 108.
  • the Target code is a source code including an if conditional branch structure and a do loop structure. An example of the code generation procedure is shown in FIGS.
  • the scheduler editing unit 112 receives the creation / editing of the scheduler and registers it in the scheduler holding unit 111.
  • the scheduler can describe an if conditional branch structure, a do loop structure, and a sequential connection by using events (EVENTS) included in the Restricted model. Further, the scheduler can describe a pre-state and a post-state that are conditions to be satisfied before and after execution of the event, the if conditional branch structure, and the do loop structure.
  • the scheduler checking unit 113 acquires the scheduler from the scheduler holding unit 111, and checks whether there is no contradiction regarding the pre-condition and the post-condition in the scheduler. For example, it is assumed that there is an event evt that is executed when a condition is satisfied in an if conditional branch structure bran having a certain condition cond. In this case, it is necessary to be able to derive the precondition of the event evt from the precondition of the if conditional branch structure bran and the condition cond. At the same time, the post condition of the if conditional branch structure bran must be derived from the post condition of the event evt.
  • the control structure indicated by the scheduler is an erroneous control structure that cannot be executed.
  • FIG. 8 shows an example of the scheduler, and a line 803 surrounded by [] represents a post-condition of the above do loop structure.
  • a line 804 surrounded by ⁇ represents a precondition of the event final below.
  • the intermediate product generation unit 118 obtains a Restricted model from the Restricted model holding unit 104 and is described in the Event-B language.
  • a Flattened code written in a programming language such as the Scheduled model and C language is generated.
  • the generated Scheduled model and Flattened code are registered in the Scheduled model holding unit 106 and the Flattened code holding unit 107, respectively.
  • the Scheduled model is a model reflecting the control structure defined by the scheduler in the Restricted model.
  • the Flattened code does not include an if conditional branch structure and do loop structure. Instead, the Flattened code includes a goto statement. Examples of the procedure for generating the Scheduled model and the Flattened code are shown in FIGS. 13A to 13C and FIGS. 14A to 14C, respectively.
  • the C language is used as an example of the description language of the Target code, but Target codes described in other programming languages can also be generated.
  • the flattened code must be described in another programming language similar to the Target code, and the code equivalence proving unit 116 must correspond to the other programming language.
  • the flattened code is described as an abstract pseudo code (Pseudo code), and a code equivalence proving unit 116 is prepared for each description language of the Target code.
  • the model refinement proving unit 109 acquires the Restricted model and the Scheduled model from the Restricted model holding unit 104 and the Scheduled model holding unit 106, respectively, and proves that the Scheduled model is a result of refining the Restricted model. .
  • the certification result is registered in the detailed certification result holding unit 110.
  • An example of the proof procedure is shown in FIG.
  • the proof result held by the detailed proof result holding unit 110 is composed of the developed model and the restricted model and a message “success of proof” or “failure of proof”.
  • the model refinement proving unit 109 acquires the developed model from the developed model holding unit 102 and proves that the restricted model is a result of refinement of the developed model.
  • the certification result is registered in the detailed certification result holding unit 110.
  • the above proof can be implemented by the same procedure as shown in FIG.
  • the proof result held by the detailed proof result holding unit 110 is composed of the Restricted model and the Scheduled model and a message “Certification success” or “Certification failure”.
  • the intermediate equivalence equivalence proving unit 114 acquires the scheduled model and the flattened code from the scheduled model holding unit 106 and the flattened code holding unit 107, respectively, and proves that the scheduled model and the flattened code are equivalent.
  • the certification result is registered in the intermediate certification result holding unit 115.
  • An example of the proof procedure is shown in FIGS. 18A and 18B.
  • the proof result held by the intermediate proof result holding unit 115 is composed of the Scheduled model, the Flattened code, and a message of “proof successful” or “proof failed”.
  • the code equivalence proving unit 116 acquires the flattened code and the target code from the flattened code holding unit 107 and the target code holding unit 108, respectively, and proves that the flattened code and the target code are equivalent.
  • the proof result is registered in the code proof result holding unit 117.
  • An example of the proof procedure is shown in FIGS. 19 and 20A and 20B.
  • the certification result held by the code certification result holding unit 117 is composed of the Flattened code and the Target code, and a message “Certification success” or “Certification failure”.
  • FIG. 2 is a diagram illustrating a hardware configuration example of the source code generation device according to the present embodiment.
  • the source code generation device 201 includes a CPU 202, a memory 203, an external storage device 204, a display device 205, an input device 206, and an external medium input / output device 207.
  • the CPU 202 executes various processes by executing programs stored in the memory 203.
  • the memory 203 functions as a work area for the CPU 202 and stores programs and data necessary for executing the programs.
  • the model editing unit 101, the model conversion unit 103, the code generation unit 105, the model detailing certification unit 109, the scheduler editing unit 112, the scheduler checking unit 113, the intermediate equivalence equivalence unit 114, the code equivalence certification unit 116 and a program constituting the intermediate generation unit 118 are stored, and at the same time, the developed model holding unit 102, the restricted model holding unit 104, the scheduled model holding unit 106, the flattened code holding unit 107, the target code holding unit 108, and the detailed certification Data held by the result holding unit 110, the scheduler holding unit 111, the intermediate certification result holding unit 115, and the code certification result holding unit 117 is stored.
  • the external storage device 204 stores various data.
  • the external storage device 204 is, for example, a hard disk device. Specifically, the developed model holding unit 102, the restricted model holding unit 104, the scheduled model holding unit 106, the flattened code holding unit 107, the target code holding unit 108, the refined proof result holding unit 110, the scheduler holding unit 111, an intermediate product A certification result holding unit 115 and a code certification result holding unit 117 are stored.
  • the model editing unit 101, the model conversion unit 103, the code generation unit 105, the model detailing verification unit 109, the scheduler editing unit 112, the scheduler checking unit 113, the intermediate equivalence verification unit 114, the code equivalence verification unit 116, and At least a part of the program constituting the intermediate generation unit 118 may also be stored in the external storage device 204, and the CPU 202 may read the program into the memory 203 and execute the program when executing various processes.
  • Each program may be stored in the memory 203 or the external storage device 204 in advance, or may be introduced from another device into the memory 203 or the external storage device 204 via an available medium as necessary. Also good.
  • the medium refers to, for example, a storage medium that can be attached to and detached from the external medium input / output device 207, or a communication medium such as a network, a carrier wave that propagates through the network, and a digital signal.
  • Display device 205 displays the processing result of the program.
  • the display device 205 is, for example, a display.
  • the input device 206 receives a process execution instruction and input of information necessary for the process from the user.
  • the input device 206 is, for example, a keyboard and a mouse.
  • the external medium input / output device 207 inputs / outputs data stored in the external storage device 204 with the external medium.
  • the external medium is a portable storage medium that can be attached to and detached from the external medium input / output device 207, and the external medium output device 207 is a drive device that can read from and write to the external medium.
  • the communication device 212 transmits and receives data stored in the external storage device 204 with the external medium.
  • the external medium For example, a local area network or the Internet.
  • the source code generation device 201 is connected to the source code certification device 210 through the network 209.
  • the source code verification device 210 has the same hardware configuration as the source code generation device 201.
  • the source code generation device 201 is used by the developer 208, and the created developed model, restricted model, scheduled model, flattened code, and target code are transmitted to the source code certification device 210 through the communication device 212 and the network 209.
  • the verifier 211 receives the developed model, restricted model, scheduled model, flattened code, and target code using the source code verification device 210. Then, each proof is performed using the model refinement proving unit 109, the intermediate equivalence proving unit 114, and the code equivalency proving unit 116, which are also included in the source code generating device 201.
  • a network is adopted as a means for passing the developed model, restricted model, scheduled model, flattened code, and target code.
  • the external medium input / output device 207 is used to perform the transfer by an external medium. good.
  • FIG. 3 is a block diagram illustrating a configuration example of the source code certification device 210.
  • the source code certification device 210 includes a developed model holding unit 102, a restricted model holding unit 104, a scheduled model holding unit 106, a flattened code holding unit 107, a target code holding unit 108, a model refined certification unit 109, and a refined certification result holding unit. 110, an intermediate equivalence proof unit 114, an intermediate proof result holding unit 115, a code equivalence proof unit 116, a code proof result holding unit 117, and an input receiving unit 301.
  • the input receiving unit 301 receives input of the developed model, restricted model, scheduled model, flattened code, and target code, and the developed model holding unit 102, restricted model holding unit 104, scheduled model holding unit 106, flattened code holding unit 107, respectively. Register in the target code holding unit 108. The detailed relationship and equivalence of the registered model and code is proved by a method similar to that of the source code generation device 201.
  • FIG. 4A, 4B, and 5 are examples of machines and contexts constituting the developed model held by the developed model holding unit 102.
  • FIG. 6A, 6B, and 7 are examples of machines and contexts that constitute a restricted model held by the restricted model holding unit 104.
  • FIG. 4A, 4B, and 5 are examples of machines and contexts constituting the developed model held by the developed model holding unit 102.
  • FIG. 6A, 6B, and 7 are examples of machines and contexts that constitute a restricted model held by the restricted model holding unit 104.
  • FIG. 8 shows an example of a scheduler held by the scheduler holding unit 111.
  • 9A to 9C are examples of the scheduled model held by the scheduled model holding unit 106.
  • the Scheduled model includes the counter variable pc, and the control structure of the process (event) is defined using the counter variable.
  • the control structure of a process (event) is defined by using it as a guard like a guard 913.
  • FIG. 10 shows an example of a flattened code held by the flattened code holding unit 107.
  • FIG. 11 shows an example of the Target code held by the Target code holding unit 108.
  • FIG. 12 is a flowchart illustrating a procedure example of the model conversion unit. The processing shown below is realized by a program executed by the memory 203 by the CPU 202 included in the source code generation device 201. And this program is comprised from the code
  • the CPU 202 executes the model conversion unit 103 to create a new machine by further refining (REFINES) the detailed machine most refined by refinement in the developed model acquired from the developed model holding unit 102. To do.
  • a new context is created by extending (EXTENDS) the context referenced by the detailed machine.
  • the new machine references (SEES) the new context (step 1201).
  • the new machine m_res refines (REFINES) the detail machine m2 of the developed model, and further references (SEES) the new context c0_res.
  • the new context c0_res extends (EXTENDS) the context c0 referred to by the detailed machine m2.
  • Event-B employs a formal model design method called refinement (for example, Non-Patent Document 2 (by Jean-Raymond Abrial, “Modeling in Event-B”, Cambridge University Press, 2010)). pp. 21 etc.)
  • refinement is a design method in which a part of the target software specification is abstractly modeled and then the specification is added and refined step by step. The correctness of the refinement is proved by proving a logical expression called a proof duty regarding the refinement.
  • the model conversion unit 103 defines an upper limit value and a lower limit value for defining a range of variables, constants, and carrier sets included in the new machine and the new context (step 1202).
  • the upper limit value MAX_INT and the lower limit value MIN_INT are defined by the constant declaration 701 and the axiom 703.
  • the model conversion unit 103 defines arithmetic functions for the four arithmetic operations in the new context (step 1203).
  • the arithmetic functions c_plus, c_minus, c_mul, and c_div are defined in the constant declaration 702 and the axiom 704.
  • the model conversion unit 103 uses the upper limit value and the lower limit value defined in step 1202 to limit the constants included in the new context and the range of the carrier set (step 1204).
  • the range of constants is limited by the axiom 705.
  • the model conversion unit 103 limits the range of variables included in the new machine using the upper limit value and the lower limit value defined in step 1202 (step 1205).
  • the invariant 601 limits the value range of the variable.
  • the restriction of the invariant 601 can be derived from the axiom 705, it is defined as a theorem (THEOREMS).
  • the model conversion unit 103 replaces the arithmetic expression included in the event of the new machine with an arithmetic expression using the arithmetic function created in Step 1203 (Step 1206).
  • the action 401 of the event inc is replaced with an action 602. Similar replacements are made for other events.
  • the model conversion unit 103 limits the constant range so that the value calculated in the middle of the arithmetic expression replaced in step 1206 does not exceed the upper limit value and the lower limit value defined in step 1202. (Step 1207).
  • the value of r + 1 + q is calculated halfway.
  • the value of the constant n is limited by the axiom 706 so that this value does not exceed MAX_INT above.
  • 13A to 13C are flowcharts showing an example of a procedure for generating a Scheduled model among the procedures of the intermediate product generation unit.
  • the processing shown below is realized by a program executed by the memory 202 by the CPU 202 included in the source code generation device 201. And this program is comprised from the code
  • the CPU 202 executes the intermediate product generation unit 118 to acquire the first line among the unprocessed lines of the scheduler (step 1301).
  • the intermediate product generation unit 118 executes the following procedure depending on the type of acquisition line acquired in step 1301. If the acquisition line is an event, step 1303 is executed. If the acquired line is an if branch condition, step 1309 is executed. If the acquired line is a do loop condition, step 1314 is executed. In other cases, Step 1308 is executed (Step 1302).
  • the intermediate product generation unit 118 determines whether or not the acquired event is INITIALIZATION. If the event is INITIALIZATION, step 1305 is executed. If the event is not INITIALIZATION, step 1304 is executed (step 1303).
  • the intermediate generation unit 118 deletes all the guards for the event included in the Restricted model (step 1304). Taking the event inc in FIGS. 6A and 6B as an example, the guard 603 is deleted as shown in FIGS. 9A to 9C.
  • the intermediate product generation unit 118 confirms that a counter variable for controlling the execution order of events is added to the Restricted model. If not added, add the above counter variable. Thereafter, an action “initialize the counter variable to 1” is added to the action of the INITIALIZATION event (step 1305). In the example of FIGS. 9A to 9C, an action 903 is added.
  • the intermediate product generation unit 118 confirms that a counter variable for controlling the execution order of events is added to the Restricted model. If not added, add the above counter variable. Thereafter, a guard meaning that “the counter variable is equal to the scheduler line number of the event” is added to the event (step 1306).
  • the scheduler line number means the line number of the acquired line acquired in step 1301. 9A to 9C, a guard 901 is added as the guard.
  • the intermediate generation unit 118 adds an action “increment the counter variable” to the event (step 1307). In the example of FIGS. 9A to 9C, an action 902 is added. If there is an unprocessed line in the scheduler, the intermediate generation unit 118 returns to Step 1301. If all rows have been processed, execution is terminated (step 1308).
  • the intermediate product generation unit 118 creates a true event that is a branch event when the acquired if branch condition is true and a false event that is a branch event when the acquired if branch condition is false.
  • the affirmation of the if branch condition is set for the guard of the true event.
  • negation of the if branch condition is set (step 1309).
  • an event if1_true is created as a true event
  • an event if1_false is created as a false event.
  • a guard 904 and a guard 905 are added.
  • the intermediate product generation unit 118 adds a guard that “the counter variable is equal to the scheduler line number of the if branch condition” to each of the true / false events (step 1310).
  • a guard 906 and a guard 907 are added.
  • the intermediate product generation unit 118 adds an action “increment the counter variable” to the true event (step 1311).
  • an event 908 is added.
  • the intermediate product generation unit 118 adds an action “substitute a value obtained by adding 1 to the scheduler line number of else corresponding to the if branch condition to the counter variable” to the false event (step 1312). ).
  • the row number of else 807 is 4. Therefore, as shown in FIGS. 9A to 9C, an action 909 is added.
  • the intermediate product generation unit 118 creates an exit event to escape from the branch when the if branch condition is true.
  • the exit event has a guard that “the counter variable is equal to the scheduler line number of the else” and an action “substitute a value obtained by adding 1 to the scheduler line number of fi for the counter variable”. (Step 1313).
  • the line number of else 807 is 4 and the line number of fi 805 is 5. Therefore, as shown in FIGS. 9A to 9C, an exit event 910 is added.
  • the intermediate product generation unit 118 creates a true event that is a branch event when the acquired do loop condition is true and a false event that is a branch event when the acquired do loop condition is false. Set affirmative of the do loop condition to the guard of the above true event. The negative of the false event guard is set (step 1314).
  • an event loop1_true is created as a true event and an event loop1_false is created as a false event.
  • a guard 911 and a guard 912 are added.
  • the intermediate generation unit 118 adds a guard that “the counter variable is equal to the scheduler line number of the do loop condition” to the true / false event (step 1315).
  • a guard 913 and a guard 914 are added.
  • the intermediate product generation unit 118 adds an action “increment the counter variable” to the true event (step 1316).
  • an action 915 is added.
  • the intermediate product generation unit 118 adds an action of “substitute a value obtained by adding 1 to the scheduler line number of od to the counter variable” to the false event (step 1317).
  • the line number of od is 6. Therefore, as shown in FIGS. 9A to 9C, an action 916 is added.
  • the intermediate generation unit 118 creates a return event for returning from od to do by a do loop.
  • the return event has a guard that “the counter variable is equal to the scheduler line number of od” and an action that “assigns the scheduler line number of do to the counter variable” (step 1318).
  • a return event 917 is added as shown in FIGS. 9A to 9C.
  • 14A to 14C are flowcharts showing an example of a procedure for generating a Flattened code among the procedures of the intermediate product generation unit.
  • the processing shown below is realized by a program executed by the memory 202 by the CPU 202 included in the source code generation device 201. And this program is comprised from the code
  • the CPU 202 executes the intermediate product generation unit 118 to acquire the first line among the unprocessed lines of the scheduler (step 1401).
  • the intermediate product generation unit 118 executes the following procedure depending on the type of acquisition line acquired in step 1401. If the acquisition line is an event, step 1403 is executed. If the acquired line is an if branch condition, step 1409 is executed. If the acquired line is a do loop condition, step 1413 is executed. In other cases, Step 1407 is executed (Step 1402).
  • the intermediate product generation unit 118 determines whether or not the acquired event is INITIALIZATION. If the event is INITIALIZATION, step 1404 is executed. If the event is not INITIALIZATION, step 1405 is executed (step 1403).
  • the intermediate product generation unit 118 creates a code that declares a variable that is initialized by the acquired INITIALIZATION event (step 1404).
  • variables p, q, and r are initialized by the INITIALIZATION event, these variables are declared by code 1001 as shown in FIG.
  • the intermediate product generation unit 118 converts the acquired action of the event into a code of the programming language.
  • An example of the conversion rule is shown in FIG. (Step 1405). Taking the event inc of FIGS. 6A and 6B as an example, a code 1002 is created as shown in FIG.
  • the intermediate product generation unit 118 assigns the scheduler line number of the event as a label at the top of the code created in step 1405 (step 1406). For example, in the example of FIG. 8, since the scheduler line number of the event inc is 3, the label 3 is given to the code 1002 in FIG.
  • the intermediate generation unit 118 returns to Step 1401. If all the rows have been processed, the process proceeds to step 1408 (step 1407).
  • the intermediate generation unit 118 arranges the created codes in the order of the label numbers (step 1408).
  • the intermediate product generation unit 118 creates an if statement code having the negation of the acquired if branch condition as a branch condition.
  • a goto statement code for jumping to the label obtained by adding 1 to the scheduler line number of else corresponding to the acquired if branch condition is described (step 1409). Taking the if branch condition 801 of FIG. 8 as an example, the row number of the corresponding else 807 is 4. Therefore, the code 1004 in FIG. 10 is created.
  • the intermediate product generation unit 118 assigns the scheduler line number of the if branch condition as a label of the if statement code (step 1410).
  • label 2 is given as indicated by code 1004.
  • the intermediate product generation unit 118 creates a goto statement code that jumps to a label obtained by adding 1 to the scheduler line number of fi corresponding to the above if branch condition (step 1411). In the example of FIG. 8, since the line number of fi 805 is 5, the code 1005 is created in the example of FIG.
  • the intermediate product generation unit 118 assigns the else scheduler line number corresponding to the if branch condition as a label of the goto statement code (step 1412).
  • the line number of else 807 is 4, and therefore, in the example of FIG. 10, the label 4 is given as indicated by the code 1005.
  • the intermediate product generation unit 118 creates a code for an if statement having the negation of the acquired do loop condition as a branch condition.
  • a goto statement code that jumps to a label obtained by adding 1 to the scheduler line number of od corresponding to the acquired do loop condition is described (step 1413).
  • the do loop condition 802 of FIG. 8 as an example, the line number of the corresponding od 806 is 6. Therefore, the code 1003 in FIG. 10 is created.
  • the intermediate product generation unit 118 assigns the scheduler line number of the do loop condition as a label of the if statement code (step 1414). In the example of FIG. 10, label 1 is given as indicated by code 1003.
  • the intermediate product generation unit 118 creates a goto statement code that jumps to the label of the if statement code (step 1415). In the example of FIG. 10, a code 1006 is created. The intermediate product generation unit 118 assigns the scheduler line number of od corresponding to the do loop condition as a label of the goto statement code (step 1416). In the example of FIG. 10, the label 6 is given as indicated by the code 1006.
  • Fig. 15 shows an example of conversion rules from Event-B language to C language.
  • the conversion rule 1501 includes an Event-B description 1502 and a C language description 1503.
  • An Event-B description 1502 represents a description of the conversion source Event-B language, and x and y appearing in the description are meta variables to which an arbitrary logical expression representing a true / false value is substituted. Similarly, a and b are meta variables to which an arbitrary logical expression representing a numerical value is substituted.
  • the C language description 1503 represents the description of the conversion destination C language, and x and y, and a and b appearing in the description correspond to the same symbols appearing in the Event-B description 1502.
  • a description such as T (x) represents the result of converting x by this conversion rule. For example, for variables p and q, T (p ⁇ q) means (p && q).
  • 16A and 16B are flowcharts showing an example of the procedure of the code generation unit.
  • the processing shown below is realized by a program executed by the memory 203 by the CPU 202 included in the source code generation device 201. And this program is comprised from the code
  • the CPU 202 executes the code generation unit 105 to acquire the first line among the unprocessed lines of the scheduler (step 1601).
  • the code generation unit 105 executes the following procedure depending on the type of acquisition line acquired in step 1601. If the acquisition line is an event, step 1603 is executed. If the acquired line is an if branch condition, step 1607 is executed. If the acquired line is a do loop condition, step 1408 is executed. If the acquisition line is else, step 1611 is executed. If the acquisition line is fi, step 1609 is executed. If the acquisition line is od, step 1610 is executed. If the acquired line is a precondition or a postcondition, step 1606 is executed (step 1602).
  • the code generation unit 105 determines whether or not the acquired event is INITIALIZATION. If the event is INITIALIZATION, step 1604 is executed. If the event is not INITIALIZATION, step 1605 is executed (step 1603).
  • the code generation unit 105 creates a code that declares a variable that is initialized by the acquired INITIALIZATION event (step 1604).
  • variables p, q, and r are initialized by the INITIALIZATION event, these variables are declared by code 1101 as shown in FIG.
  • the code generation unit 105 converts the acquired action of the event into a code of the programming language.
  • An example of the conversion rule is as shown in FIG. (Step 1605). Taking the event inc of FIGS. 6A and 6B as an example, a code 1102 is created as shown in FIG.
  • the code generation unit 105 If there is an unprocessed line in the scheduler, the code generation unit 105 returns to Step 1601. If all the rows have been processed, the processing ends (step 1606).
  • the code generation unit 105 creates an if statement code having the acquired if branch condition as a branch condition and a process start point bracket ( ⁇ ) (step 1607). In the example of the if branch condition 801 in FIG. 8, a code 1103 is created as shown in FIG.
  • the code generation unit 105 describes a while statement code having the acquired do loop condition as a loop condition and a process start point bracket ( ⁇ ) (step 1608).
  • the code 1104 is created as shown in FIG.
  • the code generation unit 105 describes the end bracket ( ⁇ ) of the if statement code corresponding to the acquired fi (step 1609). In the example of fi805 in FIG. 8, the code 1105 in FIG. 11 is created.
  • the code generation unit 105 describes the end bracket ( ⁇ ) of the while statement code for the acquired od (step 1610).
  • the code 1106 in FIG. 11 is created.
  • the code generation unit 105 describes the end bracket ( ⁇ ) of the if statement code, the else statement code, and the start bracket ( ⁇ ) of the else statement code for the acquired else (step 1611).
  • the code 1107 in FIG. 11 is created.
  • FIG. 17 is a flowchart showing an example of the procedure of the model detailing certification unit.
  • the processing shown below is realized by a program executed by the memory 203 by the CPU 202 included in the source code generation device 201. And this program is comprised from the code
  • the CPU 202 acquires the Restricted model from the Restricted model holding unit by executing the model detailing certification unit 109. Furthermore, the Scheduled model generated from the Restricted model by the intermediate generation unit 118 is acquired from the Scheduled model holding unit 106. Then, the Scheduled model machine is set as the Restricted model detail machine. Specifically, the most detailed machine name of the Restricted model is set in REFINES of the Scheduled model machine (step 1701).
  • the model detailing certification unit 109 makes it possible to refer to the context referred to by the Restricted model from the Scheduled model. Specifically, the name of the context referenced by the most detailed machine of the Restricted model (SEES) is set in the SEES of the Scheduled model machine (step 1702).
  • SEES most detailed machine of the Restricted model
  • the model detailing proof unit 109 generates a proof obligation regarding refinement from the Restricted model and the Scheduled model.
  • Non-patent document 2 pp. Describes how to create a proof obligation for refinement. 192-197 and the like (step 1703).
  • the model detailing proof unit 109 proves the proof duty using an inference rule.
  • the proof of the proof obligation is pp of Non-Patent Document 2. 306-352 and the like.
  • the certification result is registered in the detailed certification result holding unit 110 (step 1704).
  • 18A and 18B are flowcharts showing an example of the procedure of the intermediate equivalence equivalence proving unit.
  • the processing shown below is realized by a program executed by the memory 203 by the CPU 202 included in the source code generation device 201. And this program is comprised from the code
  • the CPU 202 executes the intermediate equivalence proof unit 114 to acquire the Scheduled model from the Scheduled model holding unit 106, and acquires the INITIALIZATION event (Step 1801).
  • the intermediate equivalence proof unit 114 acquires an event having the smallest counter variable value restricted by the guard among unprocessed events of the Scheduled model. There may be a plurality of events having the smallest counter variable value (step 1802).
  • the intermediate equivalence proof unit 114 determines whether the event acquired in Step 1802 includes a guard other than the guard that restricts the counter variable. If yes, go to Step 1804. If not included, the process proceeds to step 1805 (step 1803).
  • the intermediate equivalence proof unit 114 extracts a false event that is an event having a negative guard from the event acquired in Step 1802 (Step 1804).
  • a false event that is an event having a negative guard from the event acquired in Step 1802 (Step 1804).
  • the intermediate equivalence proof unit 114 creates an if statement code having the false event guard as a branching condition (step 1806). For example, in the case of the event loop1_false in FIGS. 9A to 9C, a code corresponding to the code 1004 is generated.
  • the intermediate equivalence prover 114 creates a goto statement code that jumps to the label of the value assigned to the counter variable in the false event, and adds it as the processing of the if statement code (step 1807). For example, in the case of event loop1_false in FIGS. 9A to 9C, the value assigned to the counter variable pc is 7. In this case, a code corresponding to the goto statement of the code 1003 is generated.
  • the intermediate equivalence proof unit 114 creates a goto statement code that jumps to the label of the number assigned to the counter variable in the action of updating the counter variable of the acquired event (step 1808).
  • a code corresponding to the code 1005 is generated.
  • the intermediate equivalence proof unit 114 converts the action of the acquired event into a code of the programming language.
  • An example of the conversion rule is as shown in FIG. 15 (step 1809).
  • the intermediate equivalence equivalence proving unit 114 assigns the value of the counter variable restricted by the event guard acquired in step 1802 as a label to the first line of the code created in the above step. However, in the case of the INITIALIZATION event, since no guard is included, 0 is assigned as a label (step 1810). For example, in the event inc of FIGS. 9A to 9C, the value of the counter variable pc restricted by the guard 901 is 3. Therefore, as shown in FIG. 10, the label 2 is given to the code 1002.
  • the intermediate equivalence proof unit 114 checks whether there is an unprocessed event among the events included in the Scheduled model. If there is an unprocessed event, the process returns to step 1802. If all events have been processed, step 1812 is executed (step 1811).
  • the intermediate equivalence proof unit 114 acquires the generated flattened code corresponding to the Scheduled model created by the procedure shown in FIGS. 14A to C from the flattened code holding unit 107, and the code created in the above step. Compare (step 1812).
  • Step 1814 If the generated Flattened code matches the generated code, the intermediate equivalence proof unit 114 executes Step 1814. If not, step 1815 is executed (step 1813).
  • the intermediate equivalence proof unit 114 outputs the equivalence proof success and registers it as a proof result in the intermediate proof result holding unit 115 (step 1814).
  • the intermediate equivalence proof unit 114 outputs an equivalence proof failure and registers it as a proof result in the intermediate proof result holding unit 115 (step 1815).
  • FIG. 19 is a flowchart showing an example of the procedure of the code equivalence proof unit.
  • the processing shown below is realized by a program executed by the memory 203 by the CPU 202 included in the source code generation device 201. And this program is comprised from the code
  • the CPU 202 executes the code equivalence proving unit 116 to acquire the flattened code from the flattened code holding unit 107, and performs code conversion by the goto conversion process shown in FIGS. 20A and 20B (step 1901).
  • the code equivalence proving unit 116 acquires the generated Target code corresponding to the Flattened code created by the procedure shown in FIGS. 16A and B from the Target code holding unit 108, and the code created in Step 1901 Compare (step 1902) If the generated Target code matches the created code, the code equivalence proving unit 116 executes Step 1904. If they do not match, step 1905 is executed (step 1903).
  • the code equivalence proof unit 116 outputs the equivalence proof success and registers it as a proof result in the code proof result holding unit 117 (step 1904).
  • the code equivalence proof unit 116 outputs an equivalence proof failure and registers it as a proof result in the code proof result holding unit 117 (step 1905).
  • 20A and 20B are flowcharts showing an example of the procedure of goto conversion processing.
  • the processing shown below is realized by a program executed by the memory 203 by the CPU 202 included in the source code generation device 201. And this program is comprised from the code
  • the CPU 202 executes the code equivalence proof unit 116 to acquire the first line among the unprocessed lines of the input Flattened code (Step 2001).
  • the code equivalence proving unit 116 executes the following procedure depending on the type of acquired line acquired in step 2001. If the acquisition line is an if statement code, step 2004 is executed. If the acquired line is an assignment statement code, step 2003 is executed (step 2002).
  • the code equivalence prover 116 describes the acquired line including the assignment statement code as the assignment statement code as it is (step 2003).
  • the code equivalence prover 116 confirms whether or not a goto statement code that jumps to the acquired if statement code exists in the flattened code. If the goto statement code as described above exists, step 2005 is executed. If not, step 2008 is executed (step 2004).
  • the code equivalence prover 116 creates a while statement code having as a loop condition a condition in which negation is removed from the branch condition of the acquired if statement code (step 2005). Taking FIG. 10 as an example, while statement code 1104 in FIG. 11 is created from if statement code 1003.
  • the code equivalence prover 116 recursively applies this goto conversion process to the code between the acquired if statement code and the goto statement code jumping to the if statement code in the flattened code (step 2006). ). In the example of FIG. 10, recursion is applied to the code between the if statement code 1003 and the goto statement code 1006.
  • the code equivalence prover 116 describes the code created by the recursive application as the process of the while statement code created in step 2005 (step 2007).
  • the code equivalence proof unit 116 creates an if statement code having as a branch condition a condition from which negation is removed from the branch condition of the acquired if statement code (step 2008).
  • the if statement code 1103 of FIG. 11 is created from the if statement code 1004.
  • the code equivalence proving unit 116 in the Flattened code the goto statement code in a line obtained by subtracting 1 from the previous line to be jumped by the goto statement code included in the processing of the if statement code from the acquired if statement code
  • the goto conversion process is recursively applied to the code between the steps (step 2009). In the example of FIG. 10, recursion is applied to codes between the if statement code 1004 and the goto statement code 1005.
  • the code equivalence proving unit 116 describes the code created by the recursive application as the process of the if statement code created in step 2008 (step 2010).
  • the code equivalence proving unit 116 describes the goto statement code on the line obtained by subtracting 1 from the jump destination line by the goto statement code included in the processing of the acquired if statement code as the else statement code (step 2011). ).
  • the else statement code 1107 of FIG. 11 is created from the goto statement code 1005.
  • the code equivalence proving unit 116 performs this goto statement on the code between the goto statement code and the line to which the jump is made in the goto statement.
  • the conversion process is recursively applied (step 2012). In the example of FIG. 10, the code is recursively applied to the code between the goto statement code 1005 and the code 1006.
  • the code equivalence proving unit 116 describes the code created by the recursive application as processing of the else statement code created in step 2011 (step 2013).
  • the source code generation device and the source code certification device are separate devices, but each function may be realized by one device.
  • a scheduled model that is a formal model including a control structure is generated.
  • the Scheduled model and the Flattened code play a role of bridging the difference regarding the presence / absence of the control structure between the Restricted model and the Target code and the difference in language.

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Stored Programmes (AREA)

Abstract

The present invention verifies that a source code that is generated from a software specification written in a formal language is the result of refining the software and that said source code is a source code for implementing the software. A source code generation device is provided with: a scheduler editing means that edits a scheduler that defines a control structure including at least an "if" conditional branching structure and a "do" loop structure; a source code generation means that generates source code including at least an "if" conditional branching structure or a "do" loop structure from a software specification and the edited scheduler; a scheduled model generation means that generates a scheduled model including a control structure that is written in a formal language from the software specification and the edited scheduler; and a flattened code generation means that generates a flattened code that is written in a programming language, that does not include an "if" conditional branching structure or a "do" loop structure, and that does contain a "goto" statement from the software specification and the edited scheduler.

Description

ソースコード生成装置、ソースコード証明装置、ソースコード生成方法、およびソースコード生成プログラムSource code generation device, source code verification device, source code generation method, and source code generation program
 本発明は、ソフトウェア開発を支援する技術に関し、特に、ソフトウェア仕様からソースコードを生成する技術に関する。 The present invention relates to technology for supporting software development, and more particularly to technology for generating source code from software specifications.
 ソフトウェア仕様の正しさの形式手法による検証は、当該ソフトウェアの仕様を、数学的意味を持つ形式言語によって記述し、上記形式言語で記述されたソフトウェア仕様(以下、形式モデルと呼ぶ)の正しさを、数学的手法に基づいて証明することで行われる。特許文献1ではさらに、上記証明済みの形式モデルからソースコードを生成する方法を開示している。証明済み形式モデルからソースコードを生成することで、人手でのソースコード開発における不具合の混入を回避するとともに、ソースコード開発の手間を削減することができる。その結果、ソフトウェア開発工数の低減や、ソフトウェア不具合の削減といった効果が得られる。 To verify the correctness of the software specification using the formal method, the specification of the software is described in a formal language having a mathematical meaning, and the correctness of the software specification described in the formal language (hereinafter referred to as a formal model) is confirmed. This is done by proof based on mathematical methods. Patent Document 1 further discloses a method for generating a source code from the proven formal model. By generating source code from a certified formal model, it is possible to avoid troubles in manual source code development and reduce the effort of source code development. As a result, effects such as a reduction in software development man-hours and a reduction in software defects can be obtained.
 形式手法の一種であるEvent-Bなどでは、不確定要素の多い開発上流工程の仕様を証明対象としているため、処理(イベント)の制御構造を特定しない抽象度の高い形式言語で形式モデルを記述する。一方、C言語などの一般的なソースコード記述言語(プログラミング言語)においては、処理の制御構造を詳細に記述する。よって、Event-Bの形式モデルのように上記制御構造を含まない形式モデルからソースコードを生成するためには、上記制御構造を定義する必要がある。 For example, Event-B, which is a type of formal method, is intended to prove the specifications of upstream development processes with many uncertainties, so the formal model is described in a formal language with a high degree of abstraction that does not specify the control structure of the process (event) To do. On the other hand, in a general source code description language (programming language) such as C language, a process control structure is described in detail. Therefore, in order to generate source code from a formal model that does not include the control structure as in the Event-B formal model, it is necessary to define the control structure.
 非特許文献1では、Event-B言語を拡張し、上記制御構造を定義できるようにすることで、Event-B言語で記述した形式モデルからのソースコード生成を可能にする方法を開示している。この方法により、上記制御構造を含まない形式モデルからソースコードを生成できるようになる。その結果、上記制御構造を含まない形式モデルにてソフトウェア仕様を証明した場合でも、ソースコード生成によるソフトウェア開発工数の低減といった効果が得られるようになる。 Non-Patent Document 1 discloses a method that enables source code generation from a formal model described in the Event-B language by extending the Event-B language so that the control structure can be defined. . This method makes it possible to generate source code from a formal model that does not include the control structure. As a result, even when the software specification is proved by a formal model that does not include the control structure, an effect of reducing the software development man-hour by generating source code can be obtained.
特許2946715号公報Japanese Patent No. 2946715
 上記従来技術によって、形式モデルに対して制御構造を定義でき、さらにその制御構造を含む形式モデルからソースコードを生成できるようになる。上記ソースコードの生成は、ツールによって実現される。この時、上記ツールの実装に誤りがあった場合、生成されたソースコードにも誤りが混入する可能性がある。ここで言う「誤り」とは、生成したソースコードが、生成元の形式モデルが表すソフトウェア仕様を詳細化した結果ではなく、上記ソフトウェア仕様を実現しないということを意味する。 The above-mentioned conventional technology makes it possible to define a control structure for a formal model and to generate source code from the formal model including the control structure. The generation of the source code is realized by a tool. At this time, if there is an error in the implementation of the tool, there is a possibility that the error is also mixed in the generated source code. “Error” here means that the generated source code is not the result of refining the software specification represented by the format model of the generation source, and does not realize the software specification.
 つまり従来技術では、ツールの不具合などによって、誤りのあるソースコードが生成される可能性がある。そして、Event-Bのように上記制御構造を含まない抽象度の高い形式言語で形式モデルを記述した場合、上記形式モデルと上記ソースコードには上記制御構造を含む/含まないという差異が生じる。また、上記形式言語ではイベント形式で処理を記述するが、上記ソースコード記述言語では手続き形式で処理を記述するなど、言語上の違いもある。上記理由から、上記形式モデルと生成したソースコードとの比較は困難であり、上記誤りを検出できないという問題がある。 That is, in the conventional technology, there is a possibility that an erroneous source code is generated due to a failure of the tool. When a formal model is described in a formal language having a high level of abstraction that does not include the control structure as in Event-B, there is a difference that the formal model and the source code include / do not include the control structure. In the formal language, the process is described in an event format, but in the source code description language, the process is described in a procedural format. For the above reason, it is difficult to compare the formal model with the generated source code, and there is a problem that the error cannot be detected.
 上記誤りのあるソースコードの検出にはテストが有効ではあるが、テストでは上記誤りを必ず検出できるとは限らないため、上記問題を解決する手段としては不十分である。 Although the test is effective for detecting the source code having the error, the test cannot always detect the error, and is not sufficient as a means for solving the problem.
 以上より、Event-Bのような制御構造を特定しない抽象度の高い形式言語で形式モデルを記述し、上記形式モデルからソースコードを生成した場合に、上記ソースコードの誤りを検出できるようにすることが課題となる。 As described above, when a formal model is described in a formal language with a high level of abstraction that does not specify a control structure such as Event-B, and source code is generated from the formal model, errors in the source code can be detected. Is a problem.
 上記に鑑み、上記課題に対処し、上記形式モデルから生成したソースコードの誤りを検出可能にすることで、ソフトウェアの不具合を削減するための技術を提供することを目的とする。 In view of the above, it is an object of the present invention to provide a technique for reducing software defects by addressing the above problems and making it possible to detect errors in the source code generated from the formal model.
 上述した課題を解決し、目的を達成するために、本発明にかかるソースコード生成装置は、形式言語で記述されたソフトウェア仕様から、プログラミング言語で記述されたソースコードを生成するソースコード生成装置であって、制御構造を含まない前記ソフトウェア仕様の処理について、少なくともif条件分岐構造およびdoループ構造を含む制御構造を定義するスケジューラを編集するスケジューラ編集手段と、前記ソフトウェア仕様および編集されたスケジューラから、少なくともif条件分岐構造あるいはdoループ構造を含むソースコードを生成するソースコード生成手段と、前記ソフトウェア仕様および編集されたスケジューラから、前記形式言語で記述された制御構造を含むScheduledモデルを生成するScheduledモデル生成手段と、前記ソフトウェア仕様および編集されたスケジューラから、前記プログラミング言語で記述され、if条件分岐構造およびdoループ構造を含まずにgoto文を含むFlattenedコードを生成するFlattenedコード生成手段と、を備えることを特徴とするソースコード生成装置として構成される。 In order to solve the above-described problems and achieve the object, a source code generation device according to the present invention is a source code generation device that generates a source code described in a programming language from a software specification described in a formal language. The processing of the software specification that does not include a control structure, scheduler editing means for editing a scheduler that defines a control structure including at least an if conditional branch structure and a do loop structure, and the software specification and the edited scheduler, Source code generation means for generating source code including at least an if conditional branch structure or do loop structure, and a scheduled model for generating a scheduled model including a control structure described in the formal language from the software specification and the edited scheduler Generating means; and And a flattened code generation means for generating a flattened code including a goto statement without including an if conditional branch structure and a do loop structure, from a software specification and an edited scheduler. Configured as a source code generator.
 また、本発明は、上記ソースコード生成装置で行われるソースコード生成方法、ソースコード生成プログラムとしても把握される。また、本発明は、上記ソースコード生成装置から受け付けたデータを用いて詳細化および等価性を証明するソースコード証明装置として構成される。 The present invention can also be understood as a source code generation method and a source code generation program performed by the source code generation device. In addition, the present invention is configured as a source code certifying device that proves refinement and equivalence using data received from the source code generating device.
 本発明によれば、形式モデルから生成したソースコードの誤りを検出可能にすることで、ソフトウェアの不具合を削減するための技術を提供することができる。 According to the present invention, it is possible to provide a technique for reducing software defects by making it possible to detect an error in a source code generated from a formal model.
ソースコード生成装置の構成例を示すブロック図である。It is a block diagram which shows the structural example of a source code production | generation apparatus. ソソースコード生成装置のハードウェア構成例を示すブロック図である。It is a block diagram which shows the hardware structural example of a source code generation apparatus. ソースコード証明装置の構成例を示すブロック図である。It is a block diagram which shows the structural example of a source code certification | authentication apparatus. Developedモデル(マシン)の例である。This is an example of a developed model (machine). Developedモデル(マシン)の例である。This is an example of a developed model (machine). Developedモデル(コンテクスト)の例である。This is an example of a developed model (context). Restrictedモデル(マシン)の例である。It is an example of a Restricted model (machine). Restrictedモデル(マシン)の例である。It is an example of a Restricted model (machine). Restrictedモデル(コンテクスト)の例である。It is an example of a Restricted model (context). スケジューラの例である。It is an example of a scheduler. Scheduledモデルの例である。It is an example of a Scheduled model. Scheduledモデルの例である。It is an example of a Scheduled model. Scheduledモデルの例である。It is an example of a Scheduled model. Flattenedコードの例である。This is an example of Flattened code. Targetコードの例である。It is an example of Target code. モデル変換部の手順例を示すフローチャートである。It is a flowchart which shows the example of a procedure of a model conversion part. 中間物生成部の手順例を示すフローチャート(Scheduledモデル生成手順)である。It is a flowchart (Scheduled model generation procedure) which shows the example of a procedure of an intermediate product production | generation part. 中間物生成部の手順例を示すフローチャート(Scheduledモデル生成手順)である。It is a flowchart (Scheduled model generation procedure) which shows the example of a procedure of an intermediate product production | generation part. 中間物生成部の手順例を示すフローチャート(Scheduledモデル生成手順)である。It is a flowchart (Scheduled model generation procedure) which shows the example of a procedure of an intermediate product production | generation part. 中間物生成部の手順例を示すフローチャート(Flattenedコード生成手順)である。It is a flowchart (Flattened code generation procedure) which shows the example of a procedure of an intermediate product production | generation part. 中間物生成部の手順例を示すフローチャート(Flattenedコード生成手順)である。It is a flowchart (Flattened code generation procedure) which shows the example of a procedure of an intermediate product production | generation part. 中間物生成部の手順例を示すフローチャート(Flattenedコード生成手順)である。It is a flowchart (Flattened code generation procedure) which shows the example of a procedure of an intermediate product production | generation part. Event-B言語からC言語への変換ルールの例である。It is an example of a conversion rule from Event-B language to C language. コード生成部の手順例を示すフローチャートである。It is a flowchart which shows the example of a procedure of a code production | generation part. コード生成部の手順例を示すフローチャートである。It is a flowchart which shows the example of a procedure of a code production | generation part. モデル詳細化証明部の手順例を示すフローチャートである。It is a flowchart which shows the example of a procedure of a model detailed certification | authentication part. 中間物等価性証明部の手順例を示すフローチャートである。It is a flowchart which shows the example of a procedure of an intermediate equivalence equivalence part. 中間物等価性証明部の手順例を示すフローチャートである。It is a flowchart which shows the example of a procedure of an intermediate equivalence equivalence part. コード等価性証明部の手順例を示すフローチャートである。It is a flowchart which shows the example of a procedure of a code equivalence | correspondence proving part. goto変換処理の手順例を示すフローチャートである。It is a flowchart which shows the example of a procedure of a goto conversion process. goto変換処理の手順例を示すフローチャートである。It is a flowchart which shows the example of a procedure of a goto conversion process.
 以下、本発明の実施の一形態を、図面を参照しながら詳細に説明する。 Hereinafter, an embodiment of the present invention will be described in detail with reference to the drawings.
 本実施形態は、ソースコード生成装置に適用される。本実施形態では、ソフトウェア仕様の正しさを形式的に証明した形式モデルであるRestrictedモデルから、生成対象のソースコードであるTargetコードを生成する際において、制御構造を含む形式モデルであるScheduledモデルと、if分岐やdoループの代わりにgoto文を使用したソースコードであるFlattenedコードを併せて生成する。上記Scheduledモデルと上記Flattenedコードは、上記Restrictedモデルと上記Targetコードとの制御構造の有無に関する差異や、言語上の差異を橋渡しする役割を担う。つまり、上記Restrictedモデルと上記Scheduledモデルの詳細化関係の証明、上記Scheduledモデルと上記Flattenedコードの等価性の証明、および上記Flattenedコードと上記Targetコードの等価性の証明を行うことで、上記Targetコードが、上記Restrictedモデルが表す仕様を詳細化した結果であることを証明できるようになる。 This embodiment is applied to a source code generation device. In the present embodiment, when generating a Target code that is a source code to be generated from a Restricted model that is formally proof of the correctness of software specifications, a Scheduled model that is a formal model including a control structure is generated. Generate Flattened code which is source code using goto statement instead of if branch and do loop. The Scheduled model and the Flattened code play a role of bridging the difference regarding the presence / absence of the control structure between the Restricted model and the Target code and the difference in language. In other words, the Target code is proved by proving the refinement relationship between the Restricted model and the Scheduled model, proving the equivalence between the Scheduled model and the Flattened code, and proving the equivalence between the Flattened code and the Target code. However, it becomes possible to prove that it is a result of refining the specification represented by the Restricted model.
 よって本実施形態によれば、生成したソースコードである上記Targetコードに誤りがあることを検出できるようになるため、上記Targetコードを使用するソフトウェアの不具合を削減できる。 Therefore, according to the present embodiment, since it is possible to detect that the Target code that is the generated source code has an error, it is possible to reduce defects in software that uses the Target code.
 また本実施形態では、上記Restrictedモデルから上記Targetコード、上記Scheduledモデル、および上記Flattenedコードを生成するために、上記Restrictedモデルの処理の制御構造を表すスケジューラの入力を受け付ける。上記スケジューラでは、上記Restrictedモデルが含むイベントを使って、if条件分岐構造、doループ構造、及び逐次結合を記述できる。さらに、上記スケジューラでは、上記イベント、上記if条件分岐構造、および上記doループ構造に対して、それらの実行前および実行後に成立すべき条件である事前状態および事後状態を記述できる。 In this embodiment, in order to generate the Target code, the Scheduled model, and the Flattened code from the Restricted model, an input of a scheduler representing the control structure of the Restricted model process is received. The scheduler can describe an if conditional branch structure, a do loop structure, and a sequential connection using events included in the Restricted model. Further, the scheduler can describe a pre-state and a post-state that are conditions to be satisfied before and after execution of the event, the if conditional branch structure, and the do loop structure.
 加えて本実施形態では、上記スケジューラにおいて、上記事前条件および上記事後条件に関する矛盾がないことを確認することで、上記スケジューラが示す制御構造が実行可能であることを確認できる。上記スケジューラにおいて実行不可能な制御構造を設計した場合、上記Scheduledモデルは上記Restrictedモデルを詳細化した結果にはならない。つまり、上記スケジューラの設計誤りを、上記Scheduledモデル、上記Flattenedコード、および上記Targetコードの生成前に確認できる。よって本実施形態によれば、上記スケジューラに設計誤りがあった場合の手戻り工数を削減できる。 In addition, in the present embodiment, it is possible to confirm that the control structure indicated by the scheduler is executable by confirming that there is no contradiction regarding the precondition and the postcondition in the scheduler. When a control structure that cannot be executed by the scheduler is designed, the Scheduled model is not the result of refining the Restricted model. That is, the scheduler design error can be confirmed before generating the Scheduled model, the Flattened code, and the Target code. Therefore, according to the present embodiment, it is possible to reduce the number of reworking steps when there is a design error in the scheduler.
 また本実施形態では、上記Restrictedモデルに含まれる変数や定数は、上限値および下限値を持つという制約がある。同様に、上記Restrictedモデルが算術式を含む場合、上記算術式によって、上記上限値および上記下限値を超える値が、上記変数に代入されることはないという制約を持つ。さらに本実施例では、上記Restrictedモデルを、上記のような制約を持たないDevelopedモデルから生成する。そして、上記Restrictedモデルは、上記Developedモデルを詳細化した結果であることを証明できる。よって本実施形態によれば、上記Targetコードを得るために、上記Developモデルから上記Restrictedモデルを作成する工数を削減できる。 Further, in this embodiment, there is a restriction that variables and constants included in the Restricted model have an upper limit value and a lower limit value. Similarly, when the Restricted model includes an arithmetic expression, the arithmetic expression has a restriction that a value exceeding the upper limit value and the lower limit value is not assigned to the variable. Furthermore, in the present embodiment, the Restricted model is generated from a developed model that does not have the above-described restrictions. It can be proved that the Restricted model is a result of refinement of the developed model. Therefore, according to the present embodiment, it is possible to reduce the number of steps for creating the Restricted model from the Develop model in order to obtain the Target code.
 図1は、Event-Bを対象とした本実施形態におけるソースコード生成装置201の構成例を示すブロック図である。 FIG. 1 is a block diagram illustrating a configuration example of the source code generation device 201 in the present embodiment for Event-B.
 ソースコード生成装置201は、モデル編集部101、Developedモデル保持部102、モデル変換部103、Restrictedモデル保持部104、コード生成部105、Scheduledモデル保持部106、Flattenedコード保持部107、Targetコード保持部108、モデル詳細化証明部109、詳細化証明結果保持部110、スケジューラ保持部111、スケジューラ編集部112、スケジューラ検査部113、中間物等価性証明部114、中間物証明結果保持部115、コード等価性証明部116、コード証明結果保持部117、及び中間物生成部118を含む。 The source code generation device 201 includes a model editing unit 101, a developed model holding unit 102, a model conversion unit 103, a restricted model holding unit 104, a code generation unit 105, a scheduled model holding unit 106, a flattened code holding unit 107, and a target code holding unit. 108, model refinement proving unit 109, refined proving result holding unit 110, scheduler holding unit 111, scheduler editing unit 112, scheduler checking unit 113, intermediate equivalence equivalence proving unit 114, intermediate product proving result holding unit 115, code equivalence It includes a sex proof unit 116, a code proof result holding unit 117, and an intermediate product generation unit 118.
 モデル編集部101は、Event-B言語で記述されたDevelopedモデルの作成・編集を受け付け、Developedモデル保持部102に登録する。Developedモデルは、上限値あるいは下限値を持たない変数や定数を含む形式モデルである。 The model editing unit 101 accepts creation / editing of a developed model described in the Event-B language, and registers it in the developed model holding unit 102. The Developed model is a formal model that includes variables and constants that do not have an upper limit or lower limit.
 モデル変換部103は、Developedモデル保持部102からDevelopedモデルを取得し、Event-B言語で記述されたRestrictedモデルに変換する。変換の手順例は図12に示す。Restrictedモデルに含まれる変数や定数は、上限値および下限値を持つ。また、上記Restrictedモデルが算術式を含む場合、上記算術式によって、上記上限値および上記下限値を超える値が、上記変数に代入されることがないように上記定数の上記上限値および上記下限値が設定されている。作成したRestrictedモデルは、Restrictedモデル保持部104に登録する。 The model conversion unit 103 acquires the developed model from the developed model holding unit 102 and converts it to the restricted model described in the Event-B language. An example of the conversion procedure is shown in FIG. Variables and constants included in the Restricted model have upper and lower limits. In addition, when the Restricted model includes an arithmetic expression, the upper limit value and the lower limit value of the constant are prevented so that a value exceeding the upper limit value and the lower limit value is not assigned to the variable by the arithmetic expression. Is set. The created Restricted model is registered in the Restricted model holding unit 104.
 コード生成部105は、Restrictedモデル保持部104からRestrictedモデルを取得し、取得したRestrictedモデルから、C言語などのプログラミング言語で記述されたTargetコードを生成し、Targetコード保持部108に登録する。上記Targetコードは、if条件分岐構造やdoループ構造を含むソースコードである。コード生成の手順例は図16A、Bに示す。 The code generation unit 105 acquires the Restricted model from the Restricted model holding unit 104, generates a Target code described in a programming language such as C language from the acquired Restricted model, and registers the Target code in the Target code holding unit 108. The Target code is a source code including an if conditional branch structure and a do loop structure. An example of the code generation procedure is shown in FIGS.
 スケジューラ編集部112は、スケジューラの作成・編集を受け付け、スケジューラ保持部111に登録する。上記スケジューラでは、上記Restrictedモデルが含むイベント(EVENTS)を使って、if条件分岐構造、doループ構造、及び逐次結合を記述できる。さらに、上記スケジューラでは、上記イベント、上記if条件分岐構造、および上記doループ構造に対して、それらの実行前および実行後に成立すべき条件である事前状態および事後状態を記述できる。 The scheduler editing unit 112 receives the creation / editing of the scheduler and registers it in the scheduler holding unit 111. The scheduler can describe an if conditional branch structure, a do loop structure, and a sequential connection by using events (EVENTS) included in the Restricted model. Further, the scheduler can describe a pre-state and a post-state that are conditions to be satisfied before and after execution of the event, the if conditional branch structure, and the do loop structure.
 スケジューラ検査部113は、スケジューラ保持部111からスケジューラを取得し、上記スケジューラにおいて、上記事前条件および上記事後条件に関する矛盾がないことを検査する。例えば、ある条件condを持つif条件分岐構造branにおいて、条件が成立する場合に実行されるイベントevtがあるとする。この場合、if条件分岐構造branの事前条件および条件condから、イベントevtの事前条件を導出できなければならない。同時に、イベントevtの事後条件から、if条件分岐構造branの事後条件が導出できなければならない。また、イベントevtの代わりに、イベントevt1とイベントevt2の逐次結合を実行する場合は、イベントevt1の事後条件から、イベントevt2の事前条件が導出できなければならない。これらの導出が不可能である場合、上記スケジューラが示す制御構造は実行不可能な誤りのある制御構造ということになる。 The scheduler checking unit 113 acquires the scheduler from the scheduler holding unit 111, and checks whether there is no contradiction regarding the pre-condition and the post-condition in the scheduler. For example, it is assumed that there is an event evt that is executed when a condition is satisfied in an if conditional branch structure bran having a certain condition cond. In this case, it is necessary to be able to derive the precondition of the event evt from the precondition of the if conditional branch structure bran and the condition cond. At the same time, the post condition of the if conditional branch structure bran must be derived from the post condition of the event evt. In addition, when the sequential combination of the event evt1 and the event evt2 is executed instead of the event evt, the precondition of the event evt2 must be derived from the post condition of the event evt1. When these derivations are impossible, the control structure indicated by the scheduler is an erroneous control structure that cannot be executed.
 図8は、上記スケジューラの例を表しており、[]で囲まれた行803は、上にあるdoループ構造の事後条件を表している。また、{}で囲まれた行804は、下にあるイベントfinalの事前条件を表している
 中間物生成部118は、Restrictedモデル保持部104からRestrictedモデルを取得し、Event-B言語で記述されたScheduledモデル、及びC言語などのプログラミング言語で記述されたFlattenedコードを生成する。生成したScheduledモデル、及びFlattenedコードは、それぞれScheduledモデル保持部106、及びFlattenedコード保持部107に登録する。Scheduledモデルは、上記スケジューラにて定義した上記制御構造を、上記Restrictedモデルに反映したモデルである。上記Flattenedコードは、上記Targetコードとは異なり、if条件分岐構造およびdoループ構造を含まない。その代わりに、上記Flattenedコードは、goto文を含む。Scheduledモデル、及びFlattenedコードの生成手順の例は、それぞれ図13A~C及び図14A~Cに示す。 FIG. 8 shows an example of the scheduler, and a line 803 surrounded by [] represents a post-condition of the above do loop structure. A line 804 surrounded by {} represents a precondition of the event final below. The intermediate product generation unit 118 obtains a Restricted model from the Restricted model holding unit 104 and is described in the Event-B language. A Flattened code written in a programming language such as the Scheduled model and C language is generated. The generated Scheduled model and Flattened code are registered in the Scheduled model holding unit 106 and the Flattened code holding unit 107, respectively. The Scheduled model is a model reflecting the control structure defined by the scheduler in the Restricted model. Unlike the Target code, the Flattened code does not include an if conditional branch structure and do loop structure. Instead, the Flattened code includes a goto statement. Examples of the procedure for generating the Scheduled model and the Flattened code are shown in FIGS. 13A to 13C and FIGS. 14A to 14C, respectively.
 本実施形態では、Targetコードの記述言語の例としてC言語を使用しているが、他のプログラミング言語で記述されたTargetコードを生成することもできる。そのためには、上記FlattenedコードもTargetコードと同様の他のプログラミング言語で記述し、さらにコード等価性証明部116を上記他のプログラミング言語に対応させる必要がある。あるいは、上記Flattenedコードを抽象的な疑似コード(Pseudoコード)として記述し、コード等価性証明部116を、Targetコードの記述言語ごとに用意するという方法もある。 In this embodiment, the C language is used as an example of the description language of the Target code, but Target codes described in other programming languages can also be generated. For this purpose, the flattened code must be described in another programming language similar to the Target code, and the code equivalence proving unit 116 must correspond to the other programming language. Alternatively, there is a method in which the flattened code is described as an abstract pseudo code (Pseudo code), and a code equivalence proving unit 116 is prepared for each description language of the Target code.
 モデル詳細化証明部109は、Restrictedモデル保持部104およびScheduledモデル保持部106から、それぞれRestrictedモデルおよびScheduledモデルを取得し、上記Scheduledモデルが、上記Restrictedモデルを詳細化した結果であることを証明する。証明結果は、詳細化証明結果保持部110に登録する。上記証明手順の例は図17に示す。詳細化証明結果保持部110が保持する上記証明結果は、上記Developedモデル及び上記Restrictedモデルと、「証明成功」あるいは「証明失敗」のメッセージから構成される。 The model refinement proving unit 109 acquires the Restricted model and the Scheduled model from the Restricted model holding unit 104 and the Scheduled model holding unit 106, respectively, and proves that the Scheduled model is a result of refining the Restricted model. . The certification result is registered in the detailed certification result holding unit 110. An example of the proof procedure is shown in FIG. The proof result held by the detailed proof result holding unit 110 is composed of the developed model and the restricted model and a message “success of proof” or “failure of proof”.
 また同様に、モデル詳細化証明部109は、Developedモデル保持部102からDevelopedモデルを取得し、上記Restrictedモデルが、上記Developedモデルを詳細化した結果であることを証明する。証明結果は、詳細化証明結果保持部110に登録する。上記証明は、図17に示す手順と同様の手順で実施できる。詳細化証明結果保持部110が保持する上記証明結果は、上記Restrictedモデル及び上記Scheduledモデルと、「証明成功」あるいは「証明失敗」のメッセージから構成される。 Similarly, the model refinement proving unit 109 acquires the developed model from the developed model holding unit 102 and proves that the restricted model is a result of refinement of the developed model. The certification result is registered in the detailed certification result holding unit 110. The above proof can be implemented by the same procedure as shown in FIG. The proof result held by the detailed proof result holding unit 110 is composed of the Restricted model and the Scheduled model and a message “Certification success” or “Certification failure”.
 中間物等価性証明部114は、Scheduledモデル保持部106およびFlattenedコード保持部107から、それぞれScheduledモデルおよびFlattenedコードを取得し、上記Scheduledモデルと上記Flattenedコードが等価であることを証明する。証明結果は、中間物証明結果保持部115に登録する。上記証明手順の例は、図18A、Bに示す。中間物証明結果保持部115が保持する証明結果は、上記Scheduledモデルおよび上記Flattenedコードと、「証明成功」あるいは「証明失敗」のメッセージから構成される。 The intermediate equivalence equivalence proving unit 114 acquires the scheduled model and the flattened code from the scheduled model holding unit 106 and the flattened code holding unit 107, respectively, and proves that the scheduled model and the flattened code are equivalent. The certification result is registered in the intermediate certification result holding unit 115. An example of the proof procedure is shown in FIGS. 18A and 18B. The proof result held by the intermediate proof result holding unit 115 is composed of the Scheduled model, the Flattened code, and a message of “proof successful” or “proof failed”.
 コード等価性証明部116は、Flattenedコード保持部107およびTargetコード保持部108から、それぞれFlattenedコードおよびTargetコードを取得し、上記Flattenedコードと上記Targetコードが等価であることを証明する。証明結果は、コード証明結果保持部117に登録する。上記証明手順の例は、図19および図20A、Bに示す。コード証明結果保持部117が保持する証明結果は、上記Flattenedコードおよび上記Targetコードと、「証明成功」あるいは「証明失敗」のメッセージから構成される。 The code equivalence proving unit 116 acquires the flattened code and the target code from the flattened code holding unit 107 and the target code holding unit 108, respectively, and proves that the flattened code and the target code are equivalent. The proof result is registered in the code proof result holding unit 117. An example of the proof procedure is shown in FIGS. 19 and 20A and 20B. The certification result held by the code certification result holding unit 117 is composed of the Flattened code and the Target code, and a message “Certification success” or “Certification failure”.
 図2は、本実施形態におけるソースコード生成装置のハードウェア構成例を示す図である。 FIG. 2 is a diagram illustrating a hardware configuration example of the source code generation device according to the present embodiment.
 ソースコード生成装置201は、CPU202、メモリ203、外部記憶装置204、表示装置205、入力装置206、及び外部媒体入出力装置207を備える。 The source code generation device 201 includes a CPU 202, a memory 203, an external storage device 204, a display device 205, an input device 206, and an external medium input / output device 207.
 CPU202は、メモリ203に記憶されたプログラムを実行することによって、各種処理を実行する。メモリ203は、CPU202のワークエリアとして機能し、プログラム及びプログラムの実行に必要なデータを記憶する。具体的には、モデル編集部101、モデル変換部103、コード生成部105、モデル詳細化証明部109、スケジューラ編集部112、スケジューラ検査部113、中間物等価性証明部114、コード等価性証明部116、及び中間物生成部118を構成するプログラムが記憶され、同時にDevelopedモデル保持部102、Restrictedモデル保持部104、Scheduledモデル保持部106、Flattenedコード保持部107、Targetコード保持部108、詳細化証明結果保持部110、スケジューラ保持部111、中間物証明結果保持部115、及びコード証明結果保持部117の保持するデータが記憶される。 The CPU 202 executes various processes by executing programs stored in the memory 203. The memory 203 functions as a work area for the CPU 202 and stores programs and data necessary for executing the programs. Specifically, the model editing unit 101, the model conversion unit 103, the code generation unit 105, the model detailing certification unit 109, the scheduler editing unit 112, the scheduler checking unit 113, the intermediate equivalence equivalence unit 114, the code equivalence certification unit 116 and a program constituting the intermediate generation unit 118 are stored, and at the same time, the developed model holding unit 102, the restricted model holding unit 104, the scheduled model holding unit 106, the flattened code holding unit 107, the target code holding unit 108, and the detailed certification Data held by the result holding unit 110, the scheduler holding unit 111, the intermediate certification result holding unit 115, and the code certification result holding unit 117 is stored.
 外部記憶装置204は、各種データを格納する。外部記憶装置204は、例えば、ハードディスク装置などである。具体的には、Developedモデル保持部102、Restrictedモデル保持部104、Scheduledモデル保持部106、Flattenedコード保持部107、Targetコード保持部108、詳細化証明結果保持部110、スケジューラ保持部111、中間物証明結果保持部115、及びコード証明結果保持部117が格納される。 The external storage device 204 stores various data. The external storage device 204 is, for example, a hard disk device. Specifically, the developed model holding unit 102, the restricted model holding unit 104, the scheduled model holding unit 106, the flattened code holding unit 107, the target code holding unit 108, the refined proof result holding unit 110, the scheduler holding unit 111, an intermediate product A certification result holding unit 115 and a code certification result holding unit 117 are stored.
 あるいは、モデル編集部101、モデル変換部103、コード生成部105、モデル詳細化証明部109、スケジューラ編集部112、スケジューラ検査部113、中間物等価性証明部114、コード等価性証明部116、及び中間物生成部118を構成するプログラムの少なくとも一部についても、外部記憶装置204に格納され、各種処理実行の際にCPU202がメモリ203へ読み出してプログラムを実行することとしてもよい。また各プログラムは、あらかじめ、メモリ203または外部記憶装置204に格納されていても良いし、必要に応じ、利用可能な媒体を介して、他の装置からメモリ203または外部記憶装置204に導入されてもよい。媒体とは、例えば、外部媒体入出力装置207に着脱可能な記憶媒体、または、ネットワークや、ネットワークを伝搬する搬送波やデジタル信号などの通信媒体を指す。 Alternatively, the model editing unit 101, the model conversion unit 103, the code generation unit 105, the model detailing verification unit 109, the scheduler editing unit 112, the scheduler checking unit 113, the intermediate equivalence verification unit 114, the code equivalence verification unit 116, and At least a part of the program constituting the intermediate generation unit 118 may also be stored in the external storage device 204, and the CPU 202 may read the program into the memory 203 and execute the program when executing various processes. Each program may be stored in the memory 203 or the external storage device 204 in advance, or may be introduced from another device into the memory 203 or the external storage device 204 via an available medium as necessary. Also good. The medium refers to, for example, a storage medium that can be attached to and detached from the external medium input / output device 207, or a communication medium such as a network, a carrier wave that propagates through the network, and a digital signal.
 表示装置205は、プログラムの処理結果などを表示する。表示装置205は、例えば、ディスプレイなどである。入力装置206は、処理の実行指示及び処理に必要な情報の入力などを利用者から受け付ける。入力装置206は、例えば、キーボード及びマウスなどである。 Display device 205 displays the processing result of the program. The display device 205 is, for example, a display. The input device 206 receives a process execution instruction and input of information necessary for the process from the user. The input device 206 is, for example, a keyboard and a mouse.
 外部媒体入出力装置207は、外部媒体と、外部記憶装置204に格納されているデータなどの入出力を行う。外部媒体は、外部媒体入出力装置207に着脱可能で可搬性のある記憶媒体であり、外部媒体出力装置207は、外部媒体に読み書き可能なドライブ装置などである。 The external medium input / output device 207 inputs / outputs data stored in the external storage device 204 with the external medium. The external medium is a portable storage medium that can be attached to and detached from the external medium input / output device 207, and the external medium output device 207 is a drive device that can read from and write to the external medium.
 通信装置212は、外部媒体と、外部記憶装置204に格納されているデータなどの送受信を行う。例えば、ローカルエリアネットワークやインターネットなどである。 The communication device 212 transmits and receives data stored in the external storage device 204 with the external medium. For example, a local area network or the Internet.
 ソースコード生成装置201は、ネットワーク209を通じて、ソースコード証明装置210と接続される。ソースコード証明装置210は、ソースコード生成装置201と同様のハードウェア構成を持つ。 The source code generation device 201 is connected to the source code certification device 210 through the network 209. The source code verification device 210 has the same hardware configuration as the source code generation device 201.
 ソースコード生成装置201は、開発者208によって使用され、作成されたDevelopedモデル、Restrictedモデル、Scheduledモデル、Flattenedコード、及びTargetコードは、通信装置212およびネットワーク209を通じて、ソースコード証明装置210に送信される。検証者211は、ソースコード証明装置210を使用して上記のDevelopedモデル、Restrictedモデル、Scheduledモデル、Flattenedコード、及びTargetコードを受信する。そして、ソースコード生成装置201にも含まれる、モデル詳細化証明部109、中間物等価性証明部114、およびコード等価性証明部116を使用して各々の証明を行う。 The source code generation device 201 is used by the developer 208, and the created developed model, restricted model, scheduled model, flattened code, and target code are transmitted to the source code certification device 210 through the communication device 212 and the network 209. The The verifier 211 receives the developed model, restricted model, scheduled model, flattened code, and target code using the source code verification device 210. Then, each proof is performed using the model refinement proving unit 109, the intermediate equivalence proving unit 114, and the code equivalency proving unit 116, which are also included in the source code generating device 201.
 本実施例では、Developedモデル、Restrictedモデル、Scheduledモデル、Flattenedコード、及びTargetコードを受け渡す手段としてネットワークを採用したが、外部媒体入出力装置207を使用して、外部媒体による受け渡しを行っても良い。 In this embodiment, a network is adopted as a means for passing the developed model, restricted model, scheduled model, flattened code, and target code. However, even if the external medium input / output device 207 is used to perform the transfer by an external medium. good.
 図3は、ソースコード証明装置210の構成例を示すブロック図である。 FIG. 3 is a block diagram illustrating a configuration example of the source code certification device 210.
 ソースコード証明装置210は、Developedモデル保持部102、Restrictedモデル保持部104、Scheduledモデル保持部106、Flattenedコード保持部107、Targetコード保持部108、モデル詳細化証明部109、詳細化証明結果保持部110、中間物等価性証明部114、中間物証明結果保持部115、コード等価性証明部116、コード証明結果保持部117、及び入力受付部301を含む。 The source code certification device 210 includes a developed model holding unit 102, a restricted model holding unit 104, a scheduled model holding unit 106, a flattened code holding unit 107, a target code holding unit 108, a model refined certification unit 109, and a refined certification result holding unit. 110, an intermediate equivalence proof unit 114, an intermediate proof result holding unit 115, a code equivalence proof unit 116, a code proof result holding unit 117, and an input receiving unit 301.
 入力受付部301は、Developedモデル、Restrictedモデル、Scheduledモデル、Flattenedコード、Targetコードの入力を受け付け、それぞれDevelopedモデル保持部102、Restrictedモデル保持部104、Scheduledモデル保持部106、Flattenedコード保持部107、Targetコード保持部108に登録する。ソースコード生成装置201と同様の方法によって、登録されたモデルおよびコードの詳細化関係や等価性を証明する。 The input receiving unit 301 receives input of the developed model, restricted model, scheduled model, flattened code, and target code, and the developed model holding unit 102, restricted model holding unit 104, scheduled model holding unit 106, flattened code holding unit 107, respectively. Register in the target code holding unit 108. The detailed relationship and equivalence of the registered model and code is proved by a method similar to that of the source code generation device 201.
 図4A、Bおよび図5は、Developedモデル保持部102が保持するDevelopedモデルを構成するマシンとコンテクストの例である。図6A、Bおよび図7は、Restrictedモデル保持部104が保持するRestrictedモデルを構成するマシンとコンテクストの例である。 4A, 4B, and 5 are examples of machines and contexts constituting the developed model held by the developed model holding unit 102. FIG. 6A, 6B, and 7 are examples of machines and contexts that constitute a restricted model held by the restricted model holding unit 104. FIG.
 図8はスケジューラ保持部111が保持するスケジューラの例である。図9A~CはScheduledモデル保持部106が保持するScheduledモデルの例である。上記Scheduledモデルは,カウンタ変数pcを含んでおり,上記カウンタ変数を使って,処理(イベント)の制御構造を定義している.例えば,ガード913のようにガードとして使用することで,処理(イベント)の制御構造を定義する.
 図10はFlattenedコード保持部107が保持するFlattenedコードの例である。図11はTargetコード保持部108が保持するTargetコードの例である。図12はモデル変換部の手順例を示すフローチャートである。以下に示す処理は、ソースコード生成装置201の備えるCPU202が、メモリ203で実行するプログラムによって実現される。そしてこのプログラムは、以下に説明される各種の動作を行うためのコードから構成されている。 FIG. 8 shows an example of a scheduler held by the scheduler holding unit 111. 9A to 9C are examples of the scheduled model held by the scheduled model holding unit 106. FIG. The Scheduled model includes the counter variable pc, and the control structure of the process (event) is defined using the counter variable. For example, the control structure of a process (event) is defined by using it as a guard like a guard 913.
FIG. 10 shows an example of a flattened code held by the flattened code holding unit 107. FIG. 11 shows an example of the Target code held by the Target code holding unit 108. FIG. 12 is a flowchart illustrating a procedure example of the model conversion unit. The processing shown below is realized by a program executed by the memory 203 by the CPU 202 included in the source code generation device 201. And this program is comprised from the code | cord | chord for performing the various operation | movement demonstrated below.
 CPU202は、モデル変換部103を実行することによって、Developedモデル保持部102から取得したDevelopedモデルにおいて、リファインメントによって最も詳細化された詳細マシンをさらに詳細化(REFINES)することで、新規マシンを作成する。同時に、上記詳細マシンの参照するコントクストを拡張(EXTENDS)することで、新規コンテクストを作成する。上記新規マシンは、上記新規コンテクストを参照(SEES)する(ステップ1201)。図6A、Bの例では、新規マシンm_resはDevelopedモデルの詳細マシンm2を詳細化(REFINES)しており、さらに新規コンテクストc0_resを参照(SEES)している。また図7に示す通り、新規コンテクストc0_resは、上記詳細マシンm2の参照するコンテクストc0を拡張(EXTENDS)している。 The CPU 202 executes the model conversion unit 103 to create a new machine by further refining (REFINES) the detailed machine most refined by refinement in the developed model acquired from the developed model holding unit 102. To do. At the same time, a new context is created by extending (EXTENDS) the context referenced by the detailed machine. The new machine references (SEES) the new context (step 1201). In the example of FIGS. 6A and 6B, the new machine m_res refines (REFINES) the detail machine m2 of the developed model, and further references (SEES) the new context c0_res. Also, as shown in FIG. 7, the new context c0_res extends (EXTENDS) the context c0 referred to by the detailed machine m2.
 Event-Bでは、リファインメントと呼ばれる形式モデルの設計手法を採用している(例えば、非特許文献2(Jean-Raymond Abrial著、「Modeling in Event-B」、Cambridge University Press、2010年。)、pp。21など参照)。リファインメントとは、対象のソフトウェア仕様の一部を抽象的にモデル記述した後、段階的に仕様を追加および詳細化していく設計手法である。上記リファインメントの正しさの証明は、リファインメントに関する証明責務と呼ばれる論理式を証明することで行われる。 Event-B employs a formal model design method called refinement (for example, Non-Patent Document 2 (by Jean-Raymond Abrial, “Modeling in Event-B”, Cambridge University Press, 2010)). pp. 21 etc.) Refinement is a design method in which a part of the target software specification is abstractly modeled and then the specification is added and refined step by step. The correctness of the refinement is proved by proving a logical expression called a proof duty regarding the refinement.
 モデル変換部103は、上記新規コンテクストにおいて、上記新規マシンや上記新規コンテクストに含まれる変数、定数、及びキャリア集合の値域を定義するための上限値および下限値を定義する(ステップ1202)。図7の例では、定数宣言701、および公理703にて、上記上限値MAX_INTおよび下限値MIN_INTを定義している。 In the new context, the model conversion unit 103 defines an upper limit value and a lower limit value for defining a range of variables, constants, and carrier sets included in the new machine and the new context (step 1202). In the example of FIG. 7, the upper limit value MAX_INT and the lower limit value MIN_INT are defined by the constant declaration 701 and the axiom 703.
 モデル変換部103は、上記新規コンテクストにおいて、四則演算の算術用関数を定義する(ステップ1203)。図7の例では、定数宣言702、および公理704にて、上記算術用関数c_plus、c_minus、c_mul、及びc_divを定義している。 The model conversion unit 103 defines arithmetic functions for the four arithmetic operations in the new context (step 1203). In the example of FIG. 7, the arithmetic functions c_plus, c_minus, c_mul, and c_div are defined in the constant declaration 702 and the axiom 704.
 モデル変換部103は、ステップ1202で定義した上記上限値および上記下限値を用いて、上記新規コンテクストに含まれる定数、及びキャリア集合の値域を制限する(ステップ1204)。図7の例では、公理705にて、定数の値域を制限している。 The model conversion unit 103 uses the upper limit value and the lower limit value defined in step 1202 to limit the constants included in the new context and the range of the carrier set (step 1204). In the example of FIG. 7, the range of constants is limited by the axiom 705.
 モデル変換部103は、ステップ1202で定義した上記上限値および上記下限値を用いて、上記新規マシンに含まれる変数の値域を制限する(ステップ1205)。図6A、Bの例では、インバリアント601にて、変数の値域を制限している。ただし、インバリアント601の制限は、公理705から導出可能のため、定理(THEOREMS)として定義している。 The model conversion unit 103 limits the range of variables included in the new machine using the upper limit value and the lower limit value defined in step 1202 (step 1205). In the example of FIGS. 6A and 6B, the invariant 601 limits the value range of the variable. However, since the restriction of the invariant 601 can be derived from the axiom 705, it is defined as a theorem (THEOREMS).
 モデル変換部103は、上記新規マシンのイベントに含まれる算術式を、ステップ1203で作成した上記算術用関数を使った算術式に置き換える(ステップ1206)。図4A、Bおよび図6A、Bの例では、イベントincのアクション401を、アクション602に置き換えている。その他のイベントに対しても同様の置き換えを行っている。 The model conversion unit 103 replaces the arithmetic expression included in the event of the new machine with an arithmetic expression using the arithmetic function created in Step 1203 (Step 1206). In the example of FIGS. 4A and 4B and FIGS. 6A and 6B, the action 401 of the event inc is replaced with an action 602. Similar replacements are made for other events.
 モデル変換部103は、ステップ1206で置き換えた算術式について、算術の途中で算出される値が、ステップ1202で定義した上記上限値および上記下限値を超えることのないように、定数の値域を制限する(ステップ1207)。図7の例では、アクション602に含まれるアクションact2において、r+1+qの値が途中算出される。この値が上記上MAX_INTを超えることがないように、公理706にて定数nの値を制限している。 The model conversion unit 103 limits the constant range so that the value calculated in the middle of the arithmetic expression replaced in step 1206 does not exceed the upper limit value and the lower limit value defined in step 1202. (Step 1207). In the example of FIG. 7, in the action act2 included in the action 602, the value of r + 1 + q is calculated halfway. The value of the constant n is limited by the axiom 706 so that this value does not exceed MAX_INT above.
 図13A~Cは中間物生成部の手順のうち、Scheduledモデルを生成する手順例を示すフローチャートである。 13A to 13C are flowcharts showing an example of a procedure for generating a Scheduled model among the procedures of the intermediate product generation unit.
 以下に示す処理は、ソースコード生成装置201の備えるCPU202が、メモリ203で実行するプログラムによって実現される。そしてこのプログラムは、以下に説明される各種の動作を行うためのコードから構成されている。 The processing shown below is realized by a program executed by the memory 202 by the CPU 202 included in the source code generation device 201. And this program is comprised from the code | cord | chord for performing the various operation | movement demonstrated below.
 CPU202は、中間物生成部118を実行することによって、スケジューラの未処理の行のうち、先頭行を取得する(ステップ1301)。中間物生成部118は、ステップ1301で取得した取得行の種類によって、以下手順を実行する。上記取得行がイベントの場合、ステップ1303を実行する。上記取得行がif分岐条件の場合、ステップ1309を実行する。上記取得行がdoループ条件の場合、ステップ1314を実行する。その他の場合は、ステップ1308を実行する(ステップ1302)。 The CPU 202 executes the intermediate product generation unit 118 to acquire the first line among the unprocessed lines of the scheduler (step 1301). The intermediate product generation unit 118 executes the following procedure depending on the type of acquisition line acquired in step 1301. If the acquisition line is an event, step 1303 is executed. If the acquired line is an if branch condition, step 1309 is executed. If the acquired line is a do loop condition, step 1314 is executed. In other cases, Step 1308 is executed (Step 1302).
 中間物生成部118は、取得したイベントがINITIALIZATIONか否かを判別する。上記イベントがINITIALIZATIONの場合、ステップ1305を実行する。上記イベントがINITIALIZATIONでない場合、ステップ1304を実行する(ステップ1303)。 The intermediate product generation unit 118 determines whether or not the acquired event is INITIALIZATION. If the event is INITIALIZATION, step 1305 is executed. If the event is not INITIALIZATION, step 1304 is executed (step 1303).
 中間物生成部118は、Restrictedモデルに含まれる上記イベントのガードを全て削除する(ステップ1304)。図6A、Bのイベントincを例にとると、図9A~Cに示す通り、ガード603を削除している。 The intermediate generation unit 118 deletes all the guards for the event included in the Restricted model (step 1304). Taking the event inc in FIGS. 6A and 6B as an example, the guard 603 is deleted as shown in FIGS. 9A to 9C.
 中間物生成部118は、Restrictedモデルに、イベントの実行順序を制御するためのカウンタ変数が追加されていることを確認する。未追加であれば上記カウンタ変数を追加する。その後、上記INITIALIZATIONイベントのアクションに、「上記カウンタ変数を1に初期化する」というアクションを追加する(ステップ1305)。図9A~Cの例では、アクション903を追加している。 The intermediate product generation unit 118 confirms that a counter variable for controlling the execution order of events is added to the Restricted model. If not added, add the above counter variable. Thereafter, an action “initialize the counter variable to 1” is added to the action of the INITIALIZATION event (step 1305). In the example of FIGS. 9A to 9C, an action 903 is added.
 中間物生成部118は、Restrictedモデルに、イベントの実行順序を制御するためのカウンタ変数が追加されていることを確認する。未追加であれば上記カウンタ変数を追加する。その後、上記イベントに対して、「上記カウンタ変数は、上記イベントのスケジューラ行番号と等しい」という意味のガードを追加する(ステップ1306)。スケジューラ行番号とは、ステップ1301にて取得した取得行の、行番号を意味する。図9A~Cの例では、上記ガードとしてガード901を追加している。 The intermediate product generation unit 118 confirms that a counter variable for controlling the execution order of events is added to the Restricted model. If not added, add the above counter variable. Thereafter, a guard meaning that “the counter variable is equal to the scheduler line number of the event” is added to the event (step 1306). The scheduler line number means the line number of the acquired line acquired in step 1301. 9A to 9C, a guard 901 is added as the guard.
 中間物生成部118は、上記イベントに対して、「上記カウンタ変数をインクリメントする」というアクションを追加する(ステップ1307)。図9A~Cの例では、アクション902を追加している。中間物生成部118は、上記スケジューラに未処理の行がある場合はステップ1301に戻る。全ての行を処理済みの場合、実行を終了する(ステップ1308)。 The intermediate generation unit 118 adds an action “increment the counter variable” to the event (step 1307). In the example of FIGS. 9A to 9C, an action 902 is added. If there is an unprocessed line in the scheduler, the intermediate generation unit 118 returns to Step 1301. If all rows have been processed, execution is terminated (step 1308).
 中間物生成部118は、取得したif分岐条件がtrueの場合の分岐イベントであるtrueイベントと、falseの場合の分岐イベントであるfalseイベントを作成する。上記trueイベントのガードには上記if分岐条件の肯定を設定する。上記falseイベントのガードには、上記if分岐条件の否定を設定する(ステップ1309)。図8のif分岐条件801を例にとると、図9A~Cに示す通り、trueイベントとしてイベントif1_trueを、falseイベントとしてイベントif1_falseを作成している。そして、それぞれのイベントにおいて、ガード904とガード905を追加している。 The intermediate product generation unit 118 creates a true event that is a branch event when the acquired if branch condition is true and a false event that is a branch event when the acquired if branch condition is false. The affirmation of the if branch condition is set for the guard of the true event. In the false event guard, negation of the if branch condition is set (step 1309). Taking the if branch condition 801 of FIG. 8 as an example, as shown in FIGS. 9A to 9C, an event if1_true is created as a true event, and an event if1_false is created as a false event. In each event, a guard 904 and a guard 905 are added.
 中間物生成部118は、上記true/falseイベントに、それぞれ「上記カウンタ変数は、上記if分岐条件のスケジューラ行番号と等しい」というガードを追加する(ステップ1310)。図9A~Cの例では、ガード906とガード907を追加している。 The intermediate product generation unit 118 adds a guard that “the counter variable is equal to the scheduler line number of the if branch condition” to each of the true / false events (step 1310). In the example of FIGS. 9A to 9C, a guard 906 and a guard 907 are added.
 中間物生成部118は、上記trueイベントに、「上記カウンタ変数をインクリメントする」というアクションを追加する(ステップ1311)。図9A~Cの例では、イベント908を追加している。 The intermediate product generation unit 118 adds an action “increment the counter variable” to the true event (step 1311). In the example of FIGS. 9A to 9C, an event 908 is added.
 中間物生成部118は、上記falseイベントに、「上記カウンタ変数に対して、上記if分岐条件に対応するelseのスケジューラ行番号に1を加えた値を代入する」というアクションを追加する(ステップ1312)。図8の例では、else807の行番号は4である。よって図9A~Cに示す通り、アクション909を追加している。 The intermediate product generation unit 118 adds an action “substitute a value obtained by adding 1 to the scheduler line number of else corresponding to the if branch condition to the counter variable” to the false event (step 1312). ). In the example of FIG. 8, the row number of else 807 is 4. Therefore, as shown in FIGS. 9A to 9C, an action 909 is added.
 中間物生成部118は、if分岐条件がtrueの場合の分岐から脱出するためのexitイベントを作成する。上記exitイベントは、「上記カウンタ変数は、上記elseのスケジューラ行番号と等しい」というガードと、「上記カウンタ変数に対してfiのスケジューラ行番号に1を加えた値を代入する」というアクションを持つ(ステップ1313)。図8の例では、else807の行番号は4で、fi805の行番号は5である。よって、図9A~Cに示す通り、exitイベント910を追加している。 The intermediate product generation unit 118 creates an exit event to escape from the branch when the if branch condition is true. The exit event has a guard that “the counter variable is equal to the scheduler line number of the else” and an action “substitute a value obtained by adding 1 to the scheduler line number of fi for the counter variable”. (Step 1313). In the example of FIG. 8, the line number of else 807 is 4 and the line number of fi 805 is 5. Therefore, as shown in FIGS. 9A to 9C, an exit event 910 is added.
 中間物生成部118は、取得したdoループ条件がtrueの場合の分岐イベントであるtrueイベントと、falseの場合の分岐イベントであるfalseイベントを作成する。上記trueイベントのガードにはdoループ条件の肯定を設定する。上記falseイベントのガードにはその否定を設定する(ステップ1314)。図8のdoループ条件802を例にとると、図9A~Cに示す通り、trueイベントとしてイベントloop1_trueを、falseイベントとしてイベントloop1_falseを作成している。そして、それぞれのイベントにおいて、ガード911とガード912を追加している。 The intermediate product generation unit 118 creates a true event that is a branch event when the acquired do loop condition is true and a false event that is a branch event when the acquired do loop condition is false. Set affirmative of the do loop condition to the guard of the above true event. The negative of the false event guard is set (step 1314). Taking the do loop condition 802 of FIG. 8 as an example, as shown in FIGS. 9A to 9C, an event loop1_true is created as a true event and an event loop1_false is created as a false event. In each event, a guard 911 and a guard 912 are added.
 中間物生成部118は、上記true/falseイベントに、「上記カウンタ変数が、doループ条件のスケジューラ行番号と等しい」というガードを追加する(ステップ1315)。図9A~Cの例では、ガード913とガード914を追加している。 The intermediate generation unit 118 adds a guard that “the counter variable is equal to the scheduler line number of the do loop condition” to the true / false event (step 1315). In the example of FIGS. 9A to 9C, a guard 913 and a guard 914 are added.
 中間物生成部118は、上記trueイベントに、「上記カウンタ変数をインクリメントする」というアクションを追加する(ステップ1316)。図9A~Cの例では、アクション915を追加している。 The intermediate product generation unit 118 adds an action “increment the counter variable” to the true event (step 1316). In the example of FIGS. 9A to 9C, an action 915 is added.
 中間物生成部118は、上記falseイベントに、「カウンタ変数に対してodのスケジューラ行番号に1を加えた値を代入する」というアクションを追加する(ステップ1317)。図8の例ではodの行番号は6である。よって図9A~Cに示す通り、アクション916を追加している。 The intermediate product generation unit 118 adds an action of “substitute a value obtained by adding 1 to the scheduler line number of od to the counter variable” to the false event (step 1317). In the example of FIG. 8, the line number of od is 6. Therefore, as shown in FIGS. 9A to 9C, an action 916 is added.
 中間物生成部118は、doループによってodからdoに戻るためのreturnイベントを作成する。上記returnイベントは、「カウンタ変数が、odのスケジューラ行番号と等しい」というガードと、「カウンタ変数に対して、doのスケジューラ行番号を代入する」というアクションを持つ(ステップ1318)。図8の例では、odの行番号は6であるため、図9A~Cに示す通り、returnイベント917を追加している。 The intermediate generation unit 118 creates a return event for returning from od to do by a do loop. The return event has a guard that “the counter variable is equal to the scheduler line number of od” and an action that “assigns the scheduler line number of do to the counter variable” (step 1318). In the example of FIG. 8, since the line number of od is 6, a return event 917 is added as shown in FIGS. 9A to 9C.
 図14A~Cは、中間物生成部の手順のうち、Flattenedコードを生成する手順例を示すフローチャートである。 14A to 14C are flowcharts showing an example of a procedure for generating a Flattened code among the procedures of the intermediate product generation unit.
 以下に示す処理は、ソースコード生成装置201の備えるCPU202が、メモリ203で実行するプログラムによって実現される。そしてこのプログラムは、以下に説明される各種の動作を行うためのコードから構成されている。 The processing shown below is realized by a program executed by the memory 202 by the CPU 202 included in the source code generation device 201. And this program is comprised from the code | cord | chord for performing the various operation | movement demonstrated below.
 CPU202は、中間物生成部118を実行することによって、スケジューラの未処理の行のうち、先頭行を取得する(ステップ1401)。 The CPU 202 executes the intermediate product generation unit 118 to acquire the first line among the unprocessed lines of the scheduler (step 1401).
 中間物生成部118は、ステップ1401で取得した取得行の種類によって、以下手順を実行する。上記取得行がイベントの場合、ステップ1403を実行する。上記取得行がif分岐条件の場合、ステップ1409を実行する。上記取得行がdoループ条件の場合、ステップ1413を実行する。その他の場合は、ステップ1407を実行する(ステップ1402)。 The intermediate product generation unit 118 executes the following procedure depending on the type of acquisition line acquired in step 1401. If the acquisition line is an event, step 1403 is executed. If the acquired line is an if branch condition, step 1409 is executed. If the acquired line is a do loop condition, step 1413 is executed. In other cases, Step 1407 is executed (Step 1402).
 中間物生成部118は、取得したイベントがINITIALIZATIONか否かを判別する。上記イベントがINITIALIZATIONの場合、ステップ1404を実行する。上記イベントがINITIALIZATIONでない場合、ステップ1405を実行する(ステップ1403)。 The intermediate product generation unit 118 determines whether or not the acquired event is INITIALIZATION. If the event is INITIALIZATION, step 1404 is executed. If the event is not INITIALIZATION, step 1405 is executed (step 1403).
 中間物生成部118は、取得したINITIALIZATIONイベントにて初期化される変数を宣言するコードを作成する(ステップ1404)。図6A、Bの例では、INITIALIZATIONイベントにて変数p、q、rを初期化しているため、図10に示す通り、コード1001にてこれらの変数を宣言している。 The intermediate product generation unit 118 creates a code that declares a variable that is initialized by the acquired INITIALIZATION event (step 1404). In the example of FIGS. 6A and 6B, since variables p, q, and r are initialized by the INITIALIZATION event, these variables are declared by code 1001 as shown in FIG.
 中間物生成部118は、取得した上記イベントのアクションを、当該プログラミング言語のコードに変換する。上記変換ルールの例は、図15に示す。(ステップ1405)。図6A、Bのイベントincを例にとると、図10に示す通り、コード1002を作成する。 The intermediate product generation unit 118 converts the acquired action of the event into a code of the programming language. An example of the conversion rule is shown in FIG. (Step 1405). Taking the event inc of FIGS. 6A and 6B as an example, a code 1002 is created as shown in FIG.
 中間物生成部118は、上記イベントのスケジューラ行番号を、ステップ1405で作成したコードの先頭にラベルとして付与する(ステップ1406)。例えば図8の例では、イベントincのスケジューラ行番号は3であるため、図10において、コード1002にラベル3を付与している。 The intermediate product generation unit 118 assigns the scheduler line number of the event as a label at the top of the code created in step 1405 (step 1406). For example, in the example of FIG. 8, since the scheduler line number of the event inc is 3, the label 3 is given to the code 1002 in FIG.
 中間物生成部118は、上記スケジューラに未処理の行がある場合は、ステップ1401に戻る。全ての行を処理済みの場合は、ステップ1408に進む(ステップ1407)。中間物生成部118は、作成したコードをラベル番号順に整列する(ステップ1408)。 If there is an unprocessed line in the scheduler, the intermediate generation unit 118 returns to Step 1401. If all the rows have been processed, the process proceeds to step 1408 (step 1407). The intermediate generation unit 118 arranges the created codes in the order of the label numbers (step 1408).
 中間物生成部118は、取得したif分岐条件の否定を分岐条件として持つ、if文のコードを作成する。上記if文コードの処理には、上記取得したif分岐条件に対応するelseのスケジューラ行番号に1を加えたラベルへジャンプするgoto文コードを記述する(ステップ1409)。図8のif分岐条件801を例にとると、対応するelse807の行番号は4である。そのため、図10のコード1004を作成している。 The intermediate product generation unit 118 creates an if statement code having the negation of the acquired if branch condition as a branch condition. In the processing of the if statement code, a goto statement code for jumping to the label obtained by adding 1 to the scheduler line number of else corresponding to the acquired if branch condition is described (step 1409). Taking the if branch condition 801 of FIG. 8 as an example, the row number of the corresponding else 807 is 4. Therefore, the code 1004 in FIG. 10 is created.
 中間物生成部118は、上記if分岐条件のスケジューラ行番号を、上記if文コードのラベルとして付与する(ステップ1410)。図10の例では、コード1004に示す通り、ラベル2を付与している。 The intermediate product generation unit 118 assigns the scheduler line number of the if branch condition as a label of the if statement code (step 1410). In the example of FIG. 10, label 2 is given as indicated by code 1004.
 中間物生成部118は、上記if分岐条件に対応するfiのスケジューラ行番号に1を加えたラベルへジャンプする、goto文のコードを作成する(ステップ1411)。図8の例ではfi805の行番号は5であるため、図10の例では、コード1005を作成している。 The intermediate product generation unit 118 creates a goto statement code that jumps to a label obtained by adding 1 to the scheduler line number of fi corresponding to the above if branch condition (step 1411). In the example of FIG. 8, since the line number of fi 805 is 5, the code 1005 is created in the example of FIG.
 中間物生成部118は、上記if分岐条件に対応するelseのスケジューラ行番号を、上記goto文コードのラベルとして付与する(ステップ1412)。図8の例では、else807の行番号は4であるため、図10の例では、コード1005に示す通りラベル4を付与している。 The intermediate product generation unit 118 assigns the else scheduler line number corresponding to the if branch condition as a label of the goto statement code (step 1412). In the example of FIG. 8, the line number of else 807 is 4, and therefore, in the example of FIG. 10, the label 4 is given as indicated by the code 1005.
 中間物生成部118は、取得したdoループ条件の否定を分岐条件として持つ、if文のコードを作成する。上記if文コードの処理には、上記取得したdoループ条件に対応するodのスケジューラ行番号に1を加えたラベルへジャンプするgoto文コードを記述する(ステップ1413)。図8のdoループ条件802を例にとると、対応するod806の行番号は6である。そのため、図10のコード1003を作成している。中間物生成部118は、上記doループ条件のスケジューラ行番号を、上記if文コードのラベルとして付与する(ステップ1414)。図10の例では、コード1003に示す通り、ラベル1を付与している。 The intermediate product generation unit 118 creates a code for an if statement having the negation of the acquired do loop condition as a branch condition. In the processing of the if statement code, a goto statement code that jumps to a label obtained by adding 1 to the scheduler line number of od corresponding to the acquired do loop condition is described (step 1413). Taking the do loop condition 802 of FIG. 8 as an example, the line number of the corresponding od 806 is 6. Therefore, the code 1003 in FIG. 10 is created. The intermediate product generation unit 118 assigns the scheduler line number of the do loop condition as a label of the if statement code (step 1414). In the example of FIG. 10, label 1 is given as indicated by code 1003.
 中間物生成部118は、上記if文コードのラベルにジャンプするgoto文のコードを作成する(ステップ1415)。図10の例では、コード1006を作成している。中間物生成部118は、上記doループ条件に対応するodのスケジューラ行番号を、上記goto文コードのラベルとして付与する(ステップ1416)。図10の例では、コード1006に示す通り、ラベル6を付与している。 The intermediate product generation unit 118 creates a goto statement code that jumps to the label of the if statement code (step 1415). In the example of FIG. 10, a code 1006 is created. The intermediate product generation unit 118 assigns the scheduler line number of od corresponding to the do loop condition as a label of the goto statement code (step 1416). In the example of FIG. 10, the label 6 is given as indicated by the code 1006.
 図15はEvent-B言語からC言語への変換ルールの例である。変換ルール1501は、Event-B記述1502と、C言語記述1503を含む。Event-B記述1502は、変換元のEvent-B言語の記述を表しており、記述中に表れるxやyは、真偽値を表す任意の論理式が代入されるメタ変数である。同様にaやbは、数値を表す任意の論理式が代入されるメタ変数である。C言語記述1503は、変換先のC言語の記述を表しており、記述中に表れるxやy、およびaやbは、Event-B記述1502に表れる同記号と対応する。またT(x)などの記述は、xを本変換ルールにて変換した結果を表している。例えば変数p、qについて、T(p∧q)は(p&&q)を意味する。 Fig. 15 shows an example of conversion rules from Event-B language to C language. The conversion rule 1501 includes an Event-B description 1502 and a C language description 1503. An Event-B description 1502 represents a description of the conversion source Event-B language, and x and y appearing in the description are meta variables to which an arbitrary logical expression representing a true / false value is substituted. Similarly, a and b are meta variables to which an arbitrary logical expression representing a numerical value is substituted. The C language description 1503 represents the description of the conversion destination C language, and x and y, and a and b appearing in the description correspond to the same symbols appearing in the Event-B description 1502. A description such as T (x) represents the result of converting x by this conversion rule. For example, for variables p and q, T (p∧q) means (p && q).
 図16A、Bはコード生成部の手順例を示すフローチャートである。以下に示す処理は、ソースコード生成装置201の備えるCPU202が、メモリ203で実行するプログラムによって実現される。そしてこのプログラムは、以下に説明される各種の動作を行うためのコードから構成されている。 16A and 16B are flowcharts showing an example of the procedure of the code generation unit. The processing shown below is realized by a program executed by the memory 203 by the CPU 202 included in the source code generation device 201. And this program is comprised from the code | cord | chord for performing the various operation | movement demonstrated below.
 CPU202は、コード生成部105を実行することによって、スケジューラの未処理の行のうち、先頭行を取得する(ステップ1601)。 The CPU 202 executes the code generation unit 105 to acquire the first line among the unprocessed lines of the scheduler (step 1601).
 コード生成部105は、ステップ1601で取得した取得行の種類によって、以下手順を実行する。上記取得行がイベントの場合、ステップ1603を実行する。上記取得行がif分岐条件の場合、ステップ1607を実行する。上記取得行がdoループ条件の場合、ステップ1408を実行する。上記取得行がelseの場合、ステップ1611を実行する。上記取得行がfiの場合、ステップ1609を実行する。上記取得行がodの場合、ステップ1610を実行する。上記取得行が事前条件あるいは事後条件の場合、ステップ1606を実行する(ステップ1602)。 The code generation unit 105 executes the following procedure depending on the type of acquisition line acquired in step 1601. If the acquisition line is an event, step 1603 is executed. If the acquired line is an if branch condition, step 1607 is executed. If the acquired line is a do loop condition, step 1408 is executed. If the acquisition line is else, step 1611 is executed. If the acquisition line is fi, step 1609 is executed. If the acquisition line is od, step 1610 is executed. If the acquired line is a precondition or a postcondition, step 1606 is executed (step 1602).
 コード生成部105は、取得したイベントがINITIALIZATIONか否かを判別する。上記イベントがINITIALIZATIONの場合、ステップ1604を実行する。上記イベントがINITIALIZATIONでない場合、ステップ1605を実行する(ステップ1603)。 The code generation unit 105 determines whether or not the acquired event is INITIALIZATION. If the event is INITIALIZATION, step 1604 is executed. If the event is not INITIALIZATION, step 1605 is executed (step 1603).
 コード生成部105は、取得したINITIALIZATIONイベントにて初期化される変数を宣言するコードを作成する(ステップ1604)。図6A、Bの例では、INITIALIZATIONイベントにて変数p、q、rを初期化しているため、図11に示す通り、コード1101にてこれらの変数を宣言している。 The code generation unit 105 creates a code that declares a variable that is initialized by the acquired INITIALIZATION event (step 1604). In the example of FIGS. 6A and 6B, since variables p, q, and r are initialized by the INITIALIZATION event, these variables are declared by code 1101 as shown in FIG.
 コード生成部105は、取得した上記イベントのアクションを、当該プログラミング言語のコードに変換する。上記変換ルールの例は、図15に示す通りである。(ステップ1605)。図6A、Bのイベントincを例にとると、図11に示す通り、コード1102を作成する。 The code generation unit 105 converts the acquired action of the event into a code of the programming language. An example of the conversion rule is as shown in FIG. (Step 1605). Taking the event inc of FIGS. 6A and 6B as an example, a code 1102 is created as shown in FIG.
 コード生成部105は、上記スケジューラに未処理の行がある場合は、ステップ1601に戻る。全ての行を処理済みの場合は、処理を終了する(ステップ1606)。コード生成部105は、取得したif分岐条件を分岐条件として持つif文コードと、処理の始点ブラケット({)を作成する(ステップ1607)。図8のif分岐条件801の例では、図11に示す通り、コード1103を作成する。 If there is an unprocessed line in the scheduler, the code generation unit 105 returns to Step 1601. If all the rows have been processed, the processing ends (step 1606). The code generation unit 105 creates an if statement code having the acquired if branch condition as a branch condition and a process start point bracket ({) (step 1607). In the example of the if branch condition 801 in FIG. 8, a code 1103 is created as shown in FIG.
 コード生成部105は、取得したdoループ条件をループ条件として持つwhile文コードと、処理の始点ブラケット({)を記述する(ステップ1608)。図8のdoループ条件802の例では、図11に示す通り、コード1104を作成する。 The code generation unit 105 describes a while statement code having the acquired do loop condition as a loop condition and a process start point bracket ({) (step 1608). In the example of the do loop condition 802 in FIG. 8, the code 1104 is created as shown in FIG.
 コード生成部105は、取得したfiに対応して、if文コードの終端ブラケット(})を記述する(ステップ1609)。図8のfi805の例では、図11のコード1105を作成する。 The code generation unit 105 describes the end bracket (}) of the if statement code corresponding to the acquired fi (step 1609). In the example of fi805 in FIG. 8, the code 1105 in FIG. 11 is created.
 コード生成部105は、取得したodに対して、while文コードの終端ブラケット(})を記述する(ステップ1610)。図8のod806の例では、図11のコード1106を作成する。 The code generation unit 105 describes the end bracket (}) of the while statement code for the acquired od (step 1610). In the example of od806 in FIG. 8, the code 1106 in FIG. 11 is created.
 コード生成部105は、取得したelseに対して、if文コードの終端ブラケット(})、else文コード、およびelse文コードの始点ブラケット({)を記述する(ステップ1611)。図8のelse807の例では、図11のコード1107を作成する。 The code generation unit 105 describes the end bracket (}) of the if statement code, the else statement code, and the start bracket ({) of the else statement code for the acquired else (step 1611). In the example of else 807 in FIG. 8, the code 1107 in FIG. 11 is created.
 図17はモデル詳細化証明部の手順例を示すフローチャートである。以下に示す処理は、ソースコード生成装置201の備えるCPU202が、メモリ203で実行するプログラムによって実現される。そしてこのプログラムは、以下に説明される各種の動作を行うためのコードから構成されている。 FIG. 17 is a flowchart showing an example of the procedure of the model detailing certification unit. The processing shown below is realized by a program executed by the memory 203 by the CPU 202 included in the source code generation device 201. And this program is comprised from the code | cord | chord for performing the various operation | movement demonstrated below.
 CPU202は、モデル詳細化証明部109を実行することによって、Restrictedモデル保持部からRestrictedモデルを取得する。さらに、中間物生成部118が上記Restrictedモデルから生成したScheduledモデルを、Scheduledモデル保持部106から取得する。そして、上記Scheduledモデルのマシンを、上記Restrictedモデルの詳細マシンに設定する。具体的には、上記ScheduledモデルのマシンのREFINESに、上記Restrictedモデルの最も詳細化されたマシンの名称を設定する(ステップ1701)。 The CPU 202 acquires the Restricted model from the Restricted model holding unit by executing the model detailing certification unit 109. Furthermore, the Scheduled model generated from the Restricted model by the intermediate generation unit 118 is acquired from the Scheduled model holding unit 106. Then, the Scheduled model machine is set as the Restricted model detail machine. Specifically, the most detailed machine name of the Restricted model is set in REFINES of the Scheduled model machine (step 1701).
 モデル詳細化証明部109は、上記Scheduledモデルから、上記Restrictedモデルが参照するコンテクストを参照できるようにする。具体的には、上記ScheduledモデルのマシンのSEESに、Restrictedモデルの最も詳細化されたマシンが参照(SEES)しているコンテクストの名称を設定する(ステップ1702)。 The model detailing certification unit 109 makes it possible to refer to the context referred to by the Restricted model from the Scheduled model. Specifically, the name of the context referenced by the most detailed machine of the Restricted model (SEES) is set in the SEES of the Scheduled model machine (step 1702).
 モデル詳細化証明部109は、上記RestrictedモデルとScheduledモデルからリファインメントに関する証明責務を生成する。リファインメントに関する証明責務の作成方法は、非特許文献2のpp。192-197などにて開示されている(ステップ1703)。 The model detailing proof unit 109 generates a proof obligation regarding refinement from the Restricted model and the Scheduled model. Non-patent document 2 pp. Describes how to create a proof obligation for refinement. 192-197 and the like (step 1703).
 モデル詳細化証明部109は、上記証明責務を、推論規則を用いて証明する。証明責務の証明方法は、非特許文献2のpp。306-352などに開示されている。証明結果は、詳細化証明結果保持部110に登録する(ステップ1704)。 The model detailing proof unit 109 proves the proof duty using an inference rule. The proof of the proof obligation is pp of Non-Patent Document 2. 306-352 and the like. The certification result is registered in the detailed certification result holding unit 110 (step 1704).
 図18A、Bは中間物等価性証明部の手順例を示すフローチャートである。以下に示す処理は、ソースコード生成装置201の備えるCPU202が、メモリ203で実行するプログラムによって実現される。そしてこのプログラムは、以下に説明される各種の動作を行うためのコードから構成されている。 18A and 18B are flowcharts showing an example of the procedure of the intermediate equivalence equivalence proving unit. The processing shown below is realized by a program executed by the memory 203 by the CPU 202 included in the source code generation device 201. And this program is comprised from the code | cord | chord for performing the various operation | movement demonstrated below.
 CPU202は、中間物等価性証明部114を実行することによって、Scheduledモデル保持部106からScheduledモデルを取得し、そのINITIALIZATIONイベントを取得する(ステップ1801)。 The CPU 202 executes the intermediate equivalence proof unit 114 to acquire the Scheduled model from the Scheduled model holding unit 106, and acquires the INITIALIZATION event (Step 1801).
 中間物等価性証明部114は、上記Scheduledモデルの未処理のイベントのうち、ガードが制約するカウンタ変数の値が最小のイベントを取得する。カウンタ変数の値が最小のイベントは、複数存在する場合がある(ステップ1802)。 The intermediate equivalence proof unit 114 acquires an event having the smallest counter variable value restricted by the guard among unprocessed events of the Scheduled model. There may be a plurality of events having the smallest counter variable value (step 1802).
 中間物等価性証明部114は、ステップ1802で取得したイベントが、上記カウンタ変数を制約するガード以外のガードを含むかを判定する。含む場合はステップ1804に進む。含まない場合はステップ1805に進む(ステップ1803)。 The intermediate equivalence proof unit 114 determines whether the event acquired in Step 1802 includes a guard other than the guard that restricts the counter variable. If yes, go to Step 1804. If not included, the process proceeds to step 1805 (step 1803).
 中間物等価性証明部114は、ステップ1802で取得したイベントから、否定形式のガードを持つイベントであるfalseイベントを抽出する(ステップ1804)。図9A~Cの例では、カウンタ変数pcが1に制約されるイベントとして、loop1_trueとloop1_falseの2つのイベントがあるが、このうち、否定形式のガード912を持つイベントloop1_falseを抽出する。 The intermediate equivalence proof unit 114 extracts a false event that is an event having a negative guard from the event acquired in Step 1802 (Step 1804). In the example of FIGS. 9A to 9C, there are two events, loop1_true and loop1_false, as events for which the counter variable pc is constrained to 1. Of these, the event loop1_false having a negative guard 912 is extracted.
 中間物等価性証明部114は、ステップ1802で取得したイベントが含むアクションのうち、上記カウンタ変数を更新するアクションは「pc:=pc+1」であるかを確認する。上記アクションの場合はステップ1809を実行する。上記アクションでない場合は、ステップ1808を実行する(ステップ1805)。例えば図9A~Cのイベントincの場合、カウンタ変数pcに対する代入アクションは、アクション902に示す通り「pc:=pc+1」である。よってステップ1809を実行する。一方、イベントif1_exitの場合、pcに対する代入アクションは「pc:=6」である。よってこの場合はステップ1808を実行する。 The intermediate equivalence proof unit 114 confirms whether the action for updating the counter variable among the actions included in the event acquired in Step 1802 is “pc: = pc + 1”. In the case of the above action, step 1809 is executed. If it is not the above action, step 1808 is executed (step 1805). For example, in the event inc of FIGS. 9A to 9C, the substitution action for the counter variable pc is “pc: = pc + 1” as shown in action 902. Therefore, step 1809 is executed. On the other hand, for the event if1_exit, the substitution action for pc is “pc: = 6”. Therefore, in this case, step 1808 is executed.
 中間物等価性証明部114は、上記falseイベントのガードを分岐条件として持つ、if文コードを作成する(ステップ1806)。例えば図9A~Cのイベントloop1_falseの場合、コード1004に相当するコードを生成する。 The intermediate equivalence proof unit 114 creates an if statement code having the false event guard as a branching condition (step 1806). For example, in the case of the event loop1_false in FIGS. 9A to 9C, a code corresponding to the code 1004 is generated.
 中間物等価性証明部114は、上記falseイベントにおいて、上記カウンタ変数に代入される値のラベルへジャンプするgoto文コードを作成し、上記if文コードの処理として追加する(ステップ1807)。例えば図9A~Cにおけるイベントloop1_falseの場合、カウンタ変数pcに代入される値は7である。この場合、コード1003のgoto文に相当するコードを生成する。 The intermediate equivalence prover 114 creates a goto statement code that jumps to the label of the value assigned to the counter variable in the false event, and adds it as the processing of the if statement code (step 1807). For example, in the case of event loop1_false in FIGS. 9A to 9C, the value assigned to the counter variable pc is 7. In this case, a code corresponding to the goto statement of the code 1003 is generated.
 中間物等価性証明部114は、上記取得したイベントの上記カウンタ変数を更新するアクションにおいて、上記カウンタ変数に代入している番号のラベルへジャンプする、goto文のコードを作成する(ステップ1808)。図9A~Cのイベントif1_exitの場合、カウンタ変数pcに代入している番号は6であるため、コード1005に相当するコードを生成する。 The intermediate equivalence proof unit 114 creates a goto statement code that jumps to the label of the number assigned to the counter variable in the action of updating the counter variable of the acquired event (step 1808). In the case of the event if1_exit in FIGS. 9A to 9C, since the number assigned to the counter variable pc is 6, a code corresponding to the code 1005 is generated.
 中間物等価性証明部114は、上記取得したイベントのアクションを、当該プログラミング言語のコードに変換する。上記変換ルールの例は、図15に示す通りである(ステップ1809)。 The intermediate equivalence proof unit 114 converts the action of the acquired event into a code of the programming language. An example of the conversion rule is as shown in FIG. 15 (step 1809).
 中間物等価性証明部114は、ステップ1802にて取得したイベントのガードにて制約しているカウンタ変数の値を、上記ステップで作成したコードの先頭行に、ラベルとして付与する。ただし、INITIALIZATIONイベントの場合はガードを含まないため、0をラベルとして付与する(ステップ1810)。例えば図9A~Cのイベントincの場合、ガード901にて制約しているカウンタ変数pcの値は3である。よって、図10に示す通り、コード1002にラベル2を付与している。 The intermediate equivalence equivalence proving unit 114 assigns the value of the counter variable restricted by the event guard acquired in step 1802 as a label to the first line of the code created in the above step. However, in the case of the INITIALIZATION event, since no guard is included, 0 is assigned as a label (step 1810). For example, in the event inc of FIGS. 9A to 9C, the value of the counter variable pc restricted by the guard 901 is 3. Therefore, as shown in FIG. 10, the label 2 is given to the code 1002.
 中間物等価性証明部114は、上記Scheduledモデルに含まれるイベントのうち未処理のイベントがあるかを確認する。未処理のイベントがある場合はステップ1802に戻る。全てのイベントを処理済みの場合は、ステップ1812を実行する(ステップ1811)。 The intermediate equivalence proof unit 114 checks whether there is an unprocessed event among the events included in the Scheduled model. If there is an unprocessed event, the process returns to step 1802. If all events have been processed, step 1812 is executed (step 1811).
 中間物等価性証明部114は、Flattenedコード保持部107から、図14A~Cに示した手順で作成した、上記Scheduledモデルに対応する生成済みFlattenedコードを取得し、上記ステップにて作成したコードと比較する(ステップ1812)。 The intermediate equivalence proof unit 114 acquires the generated flattened code corresponding to the Scheduled model created by the procedure shown in FIGS. 14A to C from the flattened code holding unit 107, and the code created in the above step. Compare (step 1812).
 中間物等価性証明部114は、上記生成済みFlattenedコードと、上記作成したコードが一致する場合、ステップ1814を実行する。一致しない場合、ステップ1815を実行する(ステップ1813)。 If the generated Flattened code matches the generated code, the intermediate equivalence proof unit 114 executes Step 1814. If not, step 1815 is executed (step 1813).
 中間物等価性証明部114は、等価性証明成功を出力し、証明結果として中間物証明結果保持部115に登録する(ステップ1814)。中間物等価性証明部114は、等価性証明失敗を出力し、証明結果として中間物証明結果保持部115に登録する(ステップ1815)。 The intermediate equivalence proof unit 114 outputs the equivalence proof success and registers it as a proof result in the intermediate proof result holding unit 115 (step 1814). The intermediate equivalence proof unit 114 outputs an equivalence proof failure and registers it as a proof result in the intermediate proof result holding unit 115 (step 1815).
 図19はコード等価性証明部の手順例を示すフローチャートである。以下に示す処理は、ソースコード生成装置201の備えるCPU202が、メモリ203で実行するプログラムによって実現される。そしてこのプログラムは、以下に説明される各種の動作を行うためのコードから構成されている。 FIG. 19 is a flowchart showing an example of the procedure of the code equivalence proof unit. The processing shown below is realized by a program executed by the memory 203 by the CPU 202 included in the source code generation device 201. And this program is comprised from the code | cord | chord for performing the various operation | movement demonstrated below.
 CPU202は、コード等価性証明部116を実行することによって、Flattenedコード保持部107からFlattenedコードを取得し、図20A、Bに示すgoto変換処理にてコード変換を行う(ステップ1901)。 The CPU 202 executes the code equivalence proving unit 116 to acquire the flattened code from the flattened code holding unit 107, and performs code conversion by the goto conversion process shown in FIGS. 20A and 20B (step 1901).
 コード等価性証明部116は、Targetコード保持部108から、図16A、Bに示した手順で作成した、上記Flattenedコードに対応する生成済みTargetコードを取得し、上記ステップ1901にて作成したコードと比較する(ステップ1902)
 コード等価性証明部116は、上記生成済みTargetコードと、上記作成したコードが一致する場合、ステップ1904を実行する。一致しない場合、ステップ1905を実行する(ステップ1903)。 The code equivalence proving unit 116 acquires the generated Target code corresponding to the Flattened code created by the procedure shown in FIGS. 16A and B from the Target code holding unit 108, and the code created in Step 1901 Compare (step 1902)
If the generated Target code matches the created code, the code equivalence proving unit 116 executes Step 1904. If they do not match, step 1905 is executed (step 1903).
 コード等価性証明部116は、等価性証明成功を出力し、証明結果としてコード証明結果保持部117に登録する(ステップ1904)。コード等価性証明部116は、等価性証明失敗をを出力し、証明結果としてコード証明結果保持部117に登録する(ステップ1905)。 The code equivalence proof unit 116 outputs the equivalence proof success and registers it as a proof result in the code proof result holding unit 117 (step 1904). The code equivalence proof unit 116 outputs an equivalence proof failure and registers it as a proof result in the code proof result holding unit 117 (step 1905).
 図20A、Bはgoto変換処理の手順例を示すフローチャートである。以下に示す処理は、ソースコード生成装置201の備えるCPU202が、メモリ203で実行するプログラムによって実現される。そしてこのプログラムは、以下に説明される各種の動作を行うためのコードから構成されている。 20A and 20B are flowcharts showing an example of the procedure of goto conversion processing. The processing shown below is realized by a program executed by the memory 203 by the CPU 202 included in the source code generation device 201. And this program is comprised from the code | cord | chord for performing the various operation | movement demonstrated below.
 CPU202は、コード等価性証明部116を実行することによって、入力されたFlattenedコードの未処理の行のうち、先頭行を取得する(ステップ2001)。 The CPU 202 executes the code equivalence proof unit 116 to acquire the first line among the unprocessed lines of the input Flattened code (Step 2001).
 コード等価性証明部116は、ステップ2001で取得した取得行の種類によって、以下手順を実行する。上記取得行が、if文コードの場合、ステップ2004を実行する。上記取得行が、代入文コードの場合、ステップ2003を実行する(ステップ2002)。 The code equivalence proving unit 116 executes the following procedure depending on the type of acquired line acquired in step 2001. If the acquisition line is an if statement code, step 2004 is executed. If the acquired line is an assignment statement code, step 2003 is executed (step 2002).
 コード等価性証明部116は、代入文コードからなる上記取得行を、そのまま代入文コードとして記述する(ステップ2003)。 The code equivalence prover 116 describes the acquired line including the assignment statement code as the assignment statement code as it is (step 2003).
 コード等価性証明部116は、上記Flattenedコードの中に、取得したif文コードへとジャンプするgoto文コードが存在するかを確認する。上記のようなgoto文コードが存在する場合は、ステップ2005を実行する。存在しない場合は、ステップ2008を実行する(ステップ2004)。 The code equivalence prover 116 confirms whether or not a goto statement code that jumps to the acquired if statement code exists in the flattened code. If the goto statement code as described above exists, step 2005 is executed. If not, step 2008 is executed (step 2004).
 コード等価性証明部116は、取得したif文コードの分岐条件から、否定を除去した条件をループ条件として持つ、while文コードを作成する(ステップ2005)。図10を例にとると、if文コード1003から、図11のwhile文コード1104を作成する。 The code equivalence prover 116 creates a while statement code having as a loop condition a condition in which negation is removed from the branch condition of the acquired if statement code (step 2005). Taking FIG. 10 as an example, while statement code 1104 in FIG. 11 is created from if statement code 1003.
 コード等価性証明部116は、上記Flattenedコードにおいて、上記取得したif文コードと、そのif文コードへとジャンプするgoto文コードの間にあるコードに、本goto変換処理を再帰適用する(ステップ2006)。図10の例では、if文コード1003から、goto文コード1006までの間のコードに再帰適用する。 The code equivalence prover 116 recursively applies this goto conversion process to the code between the acquired if statement code and the goto statement code jumping to the if statement code in the flattened code (step 2006). ). In the example of FIG. 10, recursion is applied to the code between the if statement code 1003 and the goto statement code 1006.
 コード等価性証明部116は、上記再帰適用によって作成したコードを、ステップ2005で作成した上記while文コードの処理として記述する(ステップ2007)。 The code equivalence prover 116 describes the code created by the recursive application as the process of the while statement code created in step 2005 (step 2007).
 コード等価性証明部116は、取得したif文コードの分岐条件から、否定を除去した条件を分岐条件として持つ、if文コードを作成する(ステップ2008)。図10の例では、if文コード1004から、図11のif文コード1103を作成する。 The code equivalence proof unit 116 creates an if statement code having as a branch condition a condition from which negation is removed from the branch condition of the acquired if statement code (step 2008). In the example of FIG. 10, the if statement code 1103 of FIG. 11 is created from the if statement code 1004.
 コード等価性証明部116は、上記Flattenedコードにおいて、上記取得したif文コードから、そのif文コードの処理に含まれるgoto文コードによってジャンプする先の行から1を引いた行にあるgoto文コードまでの間にあるコードに対して、本goto変換処理を再帰適用する(ステップ2009)。図10の例では、if文コード1004から、goto文コード1005までの間のコードに再帰適用する。 The code equivalence proving unit 116 in the Flattened code, the goto statement code in a line obtained by subtracting 1 from the previous line to be jumped by the goto statement code included in the processing of the if statement code from the acquired if statement code The goto conversion process is recursively applied to the code between the steps (step 2009). In the example of FIG. 10, recursion is applied to codes between the if statement code 1004 and the goto statement code 1005.
 コード等価性証明部116は、上記再帰適用によって作成したコードを、ステップ2008で作成した上記if文コードの処理として記述する(ステップ2010)。 The code equivalence proving unit 116 describes the code created by the recursive application as the process of the if statement code created in step 2008 (step 2010).
 コード等価性証明部116は、上記取得したif文コードの処理に含まれるgoto文コードによってジャンプする先の行から1を引いた行にあるgoto文コードを、else文コードとして記述する(ステップ2011)。図10の例では、goto文コード1005から、図11のelse文コード1107を作成する。 The code equivalence proving unit 116 describes the goto statement code on the line obtained by subtracting 1 from the jump destination line by the goto statement code included in the processing of the acquired if statement code as the else statement code (step 2011). ). In the example of FIG. 10, the else statement code 1107 of FIG. 11 is created from the goto statement code 1005.
 コード等価性証明部116は、ステップ2011でelse文コードに変換したgoto文コードについて、上記goto文コードから、上記goto文にてジャンプする先の行までの間にあるコードに対して、本goto変換処理を再帰適用する(ステップ2012)。図10の例では、goto文コード1005から、コード1006までの間のコードに再帰適用する。 For the goto statement code converted into the else statement code in step 2011, the code equivalence proving unit 116 performs this goto statement on the code between the goto statement code and the line to which the jump is made in the goto statement. The conversion process is recursively applied (step 2012). In the example of FIG. 10, the code is recursively applied to the code between the goto statement code 1005 and the code 1006.
 コード等価性証明部116は、上記再帰適用によって作成したコードを、ステップ2011で作成した上記else文コードの処理として記述する(ステップ2013)。 The code equivalence proving unit 116 describes the code created by the recursive application as processing of the else statement code created in step 2011 (step 2013).
 以上、本実施例においては、ソースコード生成装置と、ソースコード証明装置を別個の装置としたが、それぞれの機能を一つの装置にて実現してもよい。 As described above, in the present embodiment, the source code generation device and the source code certification device are separate devices, but each function may be realized by one device.
 このように、本実施形態におけるソースコード生成装置によれば、ソフトウェア仕様の正しさを形式的に証明した形式モデルから、ソースコードを生成する際において、制御構造を含む形式モデルであるScheduledモデルと、if分岐やdoループの代わりにgoto文を使用したソースコードであるFlattenedコードを生成する。上記Scheduledモデルと上記Flattenedコードは、上記Restrictedモデルと上記Targetコードとの制御構造の有無に関する差異や、言語上の差異を橋渡しする役割を担う。つまり、上記生成元の形式モデルと上記Scheduledモデルの詳細化関係、上記Scheduledモデルと上記Flattenedコードの等価性、および上記Flattenedコードと上記生成ソースコードの等価性を証明することで、その結果、生成したソースコードが、生成元の形式モデルが表す仕様を詳細化した結果であることを証明できるようになる。よって、生成したソースコードに誤りがある場合は、そのことを検出できるようになる。以上より、ソフトウェア不具合の削減を達成することができる。 As described above, according to the source code generation device of the present embodiment, when generating source code from a formal model that formally proves the correctness of software specifications, a scheduled model that is a formal model including a control structure is generated. Generate Flattened code that is source code using goto statement instead of if branch and do loop. The Scheduled model and the Flattened code play a role of bridging the difference regarding the presence / absence of the control structure between the Restricted model and the Target code and the difference in language. In other words, the detailed relationship between the formal model of the generation source and the Scheduled model, the equivalence of the Scheduled model and the Flattened code, and the equivalence of the Flattened code and the generated source code It becomes possible to prove that the source code is the result of refining the specification expressed by the formal model of the generation source. Therefore, if there is an error in the generated source code, this can be detected. As described above, a reduction in software defects can be achieved.
 101  モデル編集部
 102  Developedモデル保持部
 103  モデル変換部
 104  Restrictedモデル保持部
 105  コード生成部
 106  Scheduledモデル保持部
 107  Flattenedコード保持部
 108  Targetコード保持部
 109  モデル詳細化証明部
 110  詳細化証明結果保持部
 111  スケジューラ保持部
 112  スケジューラ編集部
 113  スケジューラ検査部
 114  中間物等価性証明部
 115  中間物証明結果保持部
 116  コード等価性証明部
 117  コード証明結果保持部
 118  中間物生成部。 DESCRIPTION OF SYMBOLS 101 Model edit part 102 Developed model holding part 103 Model conversion part 104 Restricted model holding part 105 Code generation part 106 Scheduled model holding part 107 Flattened code holding part 108 Target code holding part 109 Model refinement certification part 110 Detailed certification result holding part 111 Scheduler Holding Unit 112 Scheduler Editing Unit 113 Scheduler Checking Unit 114 Intermediate Equivalence Proof Unit 115 Intermediate Product Proof Result Holding Unit 116 Code Equivalence Proof Unit 117 Code Proof Result Holding Unit 118 Intermediate Product Generation Unit

Claims (7)

  1.  形式言語で記述されたソフトウェア仕様から、プログラミング言語で記述されたソースコードを生成するソースコード生成装置であって、
     制御構造を含まない前記ソフトウェア仕様の処理について、少なくともif条件分岐構造およびdoループ構造を含む制御構造を定義するスケジューラを編集するスケジューラ編集手段と、
     前記ソフトウェア仕様および編集されたスケジューラから、少なくともif条件分岐構造あるいはdoループ構造を含むソースコードを生成するソースコード生成手段と、
     前記ソフトウェア仕様および編集されたスケジューラから、前記形式言語で記述された制御構造を含むScheduledモデルを生成するScheduledモデル生成手段と、
     前記ソフトウェア仕様および編集されたスケジューラから、前記プログラミング言語で記述され、if条件分岐構造およびdoループ構造を含まずにgoto文を含むFlattenedコードを生成するFlattenedコード生成手段と、
     を備えることを特徴とするソースコード生成装置。     A source code generation device for generating a source code described in a programming language from a software specification described in a formal language,
    A scheduler editing means for editing a scheduler defining a control structure including at least an if conditional branch structure and a do loop structure for processing of the software specification not including a control structure;
    Source code generation means for generating source code including at least an if conditional branch structure or a do loop structure from the software specification and the edited scheduler;
    Scheduled model generation means for generating a Scheduled model including a control structure described in the formal language from the software specification and the edited scheduler;
    Flattened code generation means for generating a flattened code including the goto statement without including the if conditional branch structure and the do loop structure from the software specification and the edited scheduler;
    A source code generation device comprising:
  2.  前記ソフトウェア仕様と前記Scheduledモデルとの間の詳細化関係を証明する詳細化証明手段と、
     前記Scheduledモデルと前記Flattenedコードとの間の等価性を証明する中間物等価性証明手段と、
     前記Flattenedコードと前記ソースコードとの間の等価性を証明するコード等価性証明手段と、
     を備えることを特徴とする請求項1に記載のソースコード生成装置。     A refinement proving means for proving a refinement relationship between the software specification and the Scheduled model;
    Intermediate equivalence proof means for proving equivalence between the Scheduled model and the Flattened code;
    Code equivalence proving means for proving equivalence between the flattened code and the source code;
    The source code generation device according to claim 1, comprising:
  3.  前記ソフトウェア仕様は、ガード条件と代入アクションから構成されるイベントを含み、
     前記スケジューラ編集手段は、前記イベントを処理とするif条件分岐構造であるif条件分岐要素と、前記イベントを処理とするdoループ構造であるdoループ要素と、前記イベントの逐次結合とを記述し、前記イベント、前記if条件分岐要素、および前記doループ要素に対して、それらの実行前および実行後に成立すべき条件として、それぞれ事前状態および事後状態を記述し、
     前記if条件分岐要素と、前記doループ要素と、前記逐次結合と、前記事前状態および事後状態とが記述された前記スケジューラを検査するスケジューラ検査手段を備え、
     前記スケジューラ検査手段は、前記事前条件および前記事後条件が、前記スケジューラに記述された前記if条件分岐要素、前記doループ要素、および前記逐次結合おいて、矛盾していないことを確認する、
     ことを特徴とする請求項1または2に記載のソースコード生成装置。     The software specification includes an event composed of a guard condition and an assignment action,
    The scheduler editing means describes an if condition branch element that is an if condition branch structure that processes the event, a do loop element that is a do loop structure that processes the event, and a sequential combination of the events, For the event, the if conditional branch element, and the do loop element, describe a pre-state and a post-state as conditions to be satisfied before and after the execution, respectively,
    A scheduler checking unit that checks the scheduler in which the if conditional branch element, the do loop element, the sequential combination, and the pre-state and post-state are described;
    The scheduler checking means confirms that the precondition and the postcondition are not inconsistent in the if condition branch element, the do loop element, and the sequential combination described in the scheduler,
    The source code generation apparatus according to claim 1, wherein the source code generation apparatus is a source code generation apparatus.
  4.  形式言語で記述された別のソフトウェア仕様であって、上限値あるいは下限値を有さない変数や定数を含む制約前仕様から、上限値および下限値を有する変数や定数を含む前記ソフトウェア仕様を生成し、前記ソフトウェア仕様が算術式を含む場合、前記算術式によって、前記上限値および前記下限値を超える値が前記変数に代入されることがないように、前記定数の前記上限値および前記下限値を設定するソフトウェア仕様生成手段、
     を備えることを特徴とする請求項1~3のいずれか1項に記載のソースコード生成装置。     Generate another software specification written in a formal language that includes variables and constants with upper and lower limits from pre-constraint specifications that contain variables and constants that do not have upper or lower limits. And when the software specification includes an arithmetic expression, the upper limit value and the lower limit value of the constant are prevented from being assigned to the variable by the arithmetic expression above the upper limit value and the lower limit value. Software specification generation means to set,
    The source code generation device according to any one of claims 1 to 3, further comprising:
  5.  形式言語で記述され、制御構造を含まないソフトウェア仕様と、制御構造を含まない前記ソフトウェア仕様の処理について、少なくともif条件分岐構造およびdoループ構造を含む制御構造を定義するスケジューラと、プログラミング言語で記述されたソースコードと、前記ソフトウェア仕様および編集されたスケジューラから生成された前記形式言語で記述された制御構造を含むScheduledモデルと、前記ソフトウェア仕様および編集されたスケジューラから生成された前記プログラミング言語で記述され、if条件分岐構造およびdoループ構造を含まずにgoto文を含むFlattenedコードとを、ソースコード生成装置から前記ソフトウェア仕様に対する前記ソースコードの正しさを証明する証拠として受け付ける受付手段と、
     前記ソフトウェア仕様と前記Scheduledモデルの詳細化関係を証明する詳細化証明手段と、
     前記Scheduledモデルと前記Flattenedコードの等価性を証明する中間物等価性証明手段と、
     前記Flattenedコードと前記ソースコードの等価性を証明するコード等価性証明手段と、
     を備えることを特徴とするソースコード証明装置。     A software specification that is described in a formal language and does not include a control structure, and a process that defines the control structure that includes at least an if conditional branch structure and a do loop structure, and a programming language that describes the processing of the software specification that does not include a control structure Written in the programming language generated from the software specification and the edited scheduler, and including a control model described in the formal language generated from the software specification and the edited scheduler Accepting means for receiving the Flattened code including the goto statement without including the if conditional branch structure and the do loop structure as evidence proving the correctness of the source code with respect to the software specification from the source code generation device;
    Refinement proving means for proving the refinement relationship between the software specification and the Scheduled model;
    Intermediate equivalence proof means for proving equivalence between the Scheduled model and the Flattened code;
    Code equivalence proving means for proving equivalence between the flattened code and the source code;
    A source code proof device comprising:
  6.  形式言語で記述されたソフトウェア仕様から、プログラミング言語で記述されたソースコードを生成するソースコード生成方法であって、
     制御構造を含まない前記ソフトウェア仕様の処理について、少なくともif条件分岐構造およびdoループ構造を含む制御構造を定義するスケジューラを編集するスケジューラ編集ステップと、
     前記ソフトウェア仕様および編集されたスケジューラから、少なくともif条件分岐構造あるいはdoループ構造を含むソースコードを生成するソースコード生成ステップと、
     前記ソフトウェア仕様および編集されたスケジューラから、前記形式言語で記述された制御構造を含むScheduledモデルを生成するScheduledモデル生成ステップと、
     前記ソフトウェア仕様および編集されたスケジューラから、前記プログラミング言語で記述され、if条件分岐構造およびdoループ構造を含まずにgoto文を含むFlattenedコードを生成するFlattenedコード生成ステップと、
     を含むことを特徴とするソースコード生成方法。     A source code generation method for generating a source code described in a programming language from a software specification described in a formal language,
    A scheduler editing step for editing a scheduler that defines a control structure including at least an if conditional branch structure and a do loop structure for processing of the software specification that does not include a control structure;
    A source code generation step for generating a source code including at least an if conditional branch structure or a do loop structure from the software specification and the edited scheduler;
    A scheduled model generation step for generating a scheduled model including a control structure described in the formal language from the software specification and the edited scheduler;
    A flattened code generation step for generating a flattened code including the goto statement without including the if conditional branch structure and the do loop structure from the software specification and the edited scheduler;
    A source code generation method comprising:
  7.  コンピュータに、
     制御構造を含まない形式言語で記述されたソフトウェア仕様の処理について、少なくともif条件分岐構造およびdoループ構造を含む制御構造を定義するスケジューラを編集するスケジューラ編集ステップと、
     前記ソフトウェア仕様および編集されたスケジューラから、少なくともif条件分岐構造あるいはdoループ構造を含むプログラミング言語で記述されたソースコードを生成するソースコード生成ステップと、
     前記ソフトウェア仕様および編集されたスケジューラから、前記形式言語で記述された制御構造を含むScheduledモデルを生成するScheduledモデル生成ステップと、
     前記ソフトウェア仕様および編集されたスケジューラから、前記プログラミング言語で記述され、if条件分岐構造およびdoループ構造を含まずにgoto文を含むFlattenedコードを生成するFlattenedコード生成ステップと、
     を実行させることを特徴とするソースコード生成プログラム。     On the computer,
    A scheduler editing step for editing a scheduler that defines a control structure including at least an if conditional branch structure and a do loop structure for processing of software specifications described in a formal language that does not include a control structure;
    A source code generation step of generating a source code described in a programming language including at least an if conditional branch structure or a do loop structure from the software specification and the edited scheduler;
    A scheduled model generation step for generating a scheduled model including a control structure described in the formal language from the software specification and the edited scheduler;
    A flattened code generation step for generating a flattened code including the goto statement without including the if conditional branch structure and the do loop structure from the software specification and the edited scheduler;
    A source code generation program characterized in that
PCT/JP2013/083185 2013-12-11 2013-12-11 Source code generation device, source code verification device, source code generation method, and source code generation program WO2015087409A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/JP2013/083185 WO2015087409A1 (en) 2013-12-11 2013-12-11 Source code generation device, source code verification device, source code generation method, and source code generation program
JP2015552239A JP6084706B2 (en) 2013-12-11 2013-12-11 Source code generation device, source code verification device, source code generation method, and source code generation program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2013/083185 WO2015087409A1 (en) 2013-12-11 2013-12-11 Source code generation device, source code verification device, source code generation method, and source code generation program

Publications (1)

Publication Number Publication Date
WO2015087409A1 true WO2015087409A1 (en) 2015-06-18

Family

ID=53370752

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2013/083185 WO2015087409A1 (en) 2013-12-11 2013-12-11 Source code generation device, source code verification device, source code generation method, and source code generation program

Country Status (2)

Country Link
JP (1) JP6084706B2 (en)
WO (1) WO2015087409A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3640796A4 (en) * 2017-06-02 2020-06-03 Mitsubishi Electric Corporation Program code generation device and program code generation program

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2013235508A (en) * 2012-05-10 2013-11-21 Fuji Electric Co Ltd Object-oriented program generation device, method therefor, and program

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2013235508A (en) * 2012-05-10 2013-11-21 Fuji Electric Co Ltd Object-oriented program generation device, method therefor, and program

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
DAG BJORKLUND ET AL.: "Towards Efficient Code Synthesis from Statecharts", PROCEEDING OF WORKSHOP OF THE PUML-GROUP HELD TOGETHER WITH THE «TML» 2001 ON PRACTICAL UML-BASED RIGOROUS DEVELOPMENT METHODS - COUNTERING OR INTEGRATING THE EXTREMISTS, 2001, pages 29 - 41 *
JAN OLAF BLECH ET AL.: "Formal Verification of Java Code Generation from UML Models", 3RD INTERNATIONAL FUJABA DAYS 2005, 16 September 2005 (2005-09-16) *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3640796A4 (en) * 2017-06-02 2020-06-03 Mitsubishi Electric Corporation Program code generation device and program code generation program
US11137988B2 (en) 2017-06-02 2021-10-05 Mitsubishi Electric Corporation Program code generation device and computer readable medium

Also Published As

Publication number Publication date
JPWO2015087409A1 (en) 2017-03-16
JP6084706B2 (en) 2017-02-22

Similar Documents

Publication Publication Date Title
Alves et al. Refactoring product lines
Gosain et al. Static analysis: A survey of techniques and tools
Soliman et al. Verification and validation of safety applications based on PLCopen safety function blocks
Neubauer et al. Risk-based testing via active continuous quality control
Bowen et al. Generating obligations, assertions and tests from UI models
Schumann et al. Verification and validation approaches for model-based software engineering
Hildebrandt et al. Automatic conformance testing of optimized triple graph grammar implementations
JP2007011605A (en) Model inspection support device for software operation specification, model inspection system provided with the same, and model inspection support program
US8875297B2 (en) Interactive analysis of a security specification
Uchitel et al. Supporting incremental behaviour model elaboration
Buchmann et al. Unifying modeling and programming with ALF
US9436582B1 (en) Calculating an immediate parent assertion statement for program verification
JP6084706B2 (en) Source code generation device, source code verification device, source code generation method, and source code generation program
Kim et al. Execution of natural language requirements using State Machines synthesised from Behavior Trees
Luo et al. Applying sofl to a railway interlocking system in industry
Bourbouh et al. From Lustre to Simulink: Reverse compilation for embedded systems applications
Lin et al. Support for safety case generation via model transformation
Sultan et al. AMULET: a Mutation Language Enabling Automatic Enrichment of SysML Models
Plociniczak Decrypting local type inference
Lecomte Programming the CLEARSY safety platform with B
Holthusen et al. Proof-carrying apps: Contract-based deployment-time verification
Grosche et al. Exploiting modular language extensions in legacy c code: An automotive case study
Grimm Debugging SCCharts
JP5508933B2 (en) Software specification proof support apparatus and proof support method
Cabot et al. Towards an Integrated Framework for Model-Driven Security Engineering.

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13899073

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2015552239

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13899073

Country of ref document: EP

Kind code of ref document: A1