WO2015107711A1 - 分散環境モデル用モデル検査装置、分散環境モデル用モデル検査方法及びプログラム - Google Patents
分散環境モデル用モデル検査装置、分散環境モデル用モデル検査方法及びプログラム Download PDFInfo
- Publication number
- WO2015107711A1 WO2015107711A1 PCT/JP2014/071844 JP2014071844W WO2015107711A1 WO 2015107711 A1 WO2015107711 A1 WO 2015107711A1 JP 2014071844 W JP2014071844 W JP 2014071844W WO 2015107711 A1 WO2015107711 A1 WO 2015107711A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- distributed environment
- state
- transition
- environment model
- searched
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3604—Software analysis for verifying properties of programs
- G06F11/3608—Software analysis for verifying properties of programs using formal methods, e.g. model checking, abstract interpretation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
Definitions
- the present invention relates to a distributed environment model model inspection device, a distributed environment model model inspection method and program.
- Model checking is a technology for modeling a verification target as a state transition system and exhaustively searching it to verify whether the verification target satisfies the specification. It can be applied from the design stage, and it can be guaranteed whether the object to be verified meets the specifications, so it is attracting attention as a technology for improving the reliability of systems and software.
- Non-Patent Document 1 when searching for a state of a network controlled by OpenFlow technology (see Non-patent documents 2 and 3) by model inspection, the OpenFlow controller program is executed symbolically and all code paths are executed. Discloses a technique for obtaining a set of representative values of packets for performing state search using it.
- Model checking has the above-mentioned features, but has the problem that the memory and time required for calculation increase exponentially with the scale of the verification target. Therefore, in model checking for the purpose of practical system and software verification, efficient search is essential.
- Non-Patent Document 4 discloses Dynamic Partial Order Reduction (DPOR), which is a technique for pruning redundant search in terms of verification in model checking for a multithreaded environment model.
- DPOR Dynamic Partial Order Reduction
- transition between states is first made by one appropriate path (path). Then, in the transition sequence of the path, it is confirmed whether or not there is a pair of transitions whose execution order influences the execution result. Such pairs of transitions are called dependent transitions.
- a backtrack point indicating a position at which a new search is to be started is generated in the path in order to search while transitioning between states with a path whose execution order of the pair is switched. For example, among the pair of transitions having a dependency relationship, a state immediately before the transition made earlier is searched from the path previously executed, and the state is set as a backtrack point.
- Non-Patent Document 5 discloses SDPOR, which is a technology that improves DPOR.
- model checking in general, when the state searched for in the past (searched state) is reached again, since the search after that state is naturally redundant, the search is aborted.
- DPOR if the search is aborted easily, analysis of dependency transitions on paths will be affected, and correct results can not be obtained. Therefore, in DPOR, even when the searched state is reached, the search is continued without being aborted.
- SDPOR is a DPOR that has been modified to be able to abort the search when it reaches the searched state.
- the transition made in the past search is managed in a graph and used for dependency analysis.
- each node is associated with a transition
- each directed edge indicates the execution order of the transition performed in the past search. For example, assuming that the state immediately after transition t1 performed during the search is s1, if transition t2 is further performed from s1, node n1 corresponding to transition t1 in the graph has node n2 corresponding to transition t2.
- Direction edges are drawn (created if nodes n1 and n2 do not exist in the graph).
- the transition that can be performed from the state s2 is checked, a node corresponding to the transition is searched for in the graph, and further reachable from the node by tracing directed edges Extract all nodes.
- the transition corresponding to the node extracted earlier represents a transition that can be executed in the state transition after s2.
- the dependencies are analyzed using these transitions and the transitions on the current path to generate backtrack points. It is a feature of SDPOR that these procedures can analyze dependencies correctly even if the search after the searched state is aborted, and the search can be aborted as efficiently as possible.
- Non Patent Literature 6 discloses DPOR-DS, which is a technology in which DPOR is modified for model checking of a distributed environment model.
- DPOR-DS is a technology in which DPOR is modified for model checking of a distributed environment model.
- a happenss-before relationship in the distributed environment model is defined separately from the dependency relationship, and is used to determine the generation of backtrack points.
- the “happens-before” relation is an execution order relation between transitions which always holds on a certain model. For example, when considering a transition in which a certain packet p is transmitted / received, the transition in which the packet p is transmitted always occurs before the transition in which the packet p is received. Thus, from the causal relationship on the model, the order relationship between the transitions that always holds is the happis-before relationship.
- DPOR-DS of Non-Patent Document 6 is a DPOR applicable to model checking of a distributed environment model, for the same reason as DPOR of Non-Patent Document 4, the search after the searched state can not be discontinued.
- SDPOR in Non-Patent Document 5 is a DPOR that can stop the search after the searched state
- a target of model checking is assumed to be a multi-thread environment model as in DPOR in Non-Patent Document 4.
- the order in which the transition was performed in the past search is stored without being distinguished for each path, so that necessary information can not be acquired.
- Haspens-before relationship can not be analyzed. This will be described below with reference to FIGS. 15 and 16.
- the lower graph in FIG. 15 shows the transition performed in the past search.
- a graph is generated.
- the state So has moved to the state S1 at transition t0, then it has moved to the state S2 at transition t1, and then it moved to the state S3 at transition t2.
- the order of transitions made in this pass is t0 ⁇ t1 ⁇ t2.
- a graph showing the order of such transitions is shown at the bottom of FIG. In the graph, three nodes corresponding to each of the transitions t0 to t2 are displayed, and directed edges are drawn between the nodes to indicate the order of the transitions.
- transition t2 is performed after transition t0 and transition t1 is performed after transition t2
- a directed edge from t0 to t2 and a directed edge from t2 to t1 are shown. An edge is newly added.
- one node corresponds to one transition, and the context of the transition performed in the past search at the directed edge is shown.
- the order of transitions in each of a plurality of paths performed in the past can not be grasped. Therefore, the SDPOR can not analyze the happens-before relationship.
- the object of the present invention is to solve the above-mentioned problems, and when applying DPOR in model checking for a distributed environment model, an efficient search can be made possible by providing a means for stopping the search after the searched state.
- a plurality of states can be taken, and when information indicating a distributed environment model moving between the states is acquired at a predetermined transition realized by execution of a predetermined operation executable in each state, the first state is determined.
- the state which can be taken by the distributed environment model is searched by executing a plurality of linear movements moving to the second state in which the end position is linearly obtained without branching at one or more of the transitions as the start position.
- a distributed environment model search unit that determines whether the searched state satisfies a predetermined property, A searched state management unit that stores the searched states searched in the past; A searched transition history management unit which stores the order of the transition in each of the linear movements performed in the past; A searched state transition correspondence information management unit which associates and stores the transition when moving to another state in the past search to each of the searched states; When the distributed environment model search unit ends one of the linear movements, analysis of dependency relationships and haspens-before relation is performed on a plurality of the transitions executed in a predetermined order in the linear movements.
- a distributed environment model dependency analysis unit that generates a backtrack point indicating a point to be backtracked on a path of linear movement;
- the distributed environment model searching unit is provided with a distributed environment model model inspection device that starts the other linear movement with the backtrack point as a start position when the search of one linear movement is finished.
- a plurality of states can be taken, and when information indicating a distributed environment model moving between the states is acquired at a predetermined transition realized by execution of a predetermined operation executable in each state, the first state is determined.
- the state which can be taken by the distributed environment model is searched by executing a plurality of linear movements moving to the second state in which the end position is linearly obtained without branching at one or more of the transitions as the start position.
- Distributed environment model searching means for determining whether the searched state satisfies a predetermined property, Searched state management means for storing the searched states searched in the past; A searched transition history management means for storing the order of the transition in each of the linear movements performed in the past; A searched state transition correspondence information management means for storing the transition when moving to another state in the past search in association with each of the searched states.
- searched state management means for storing the searched states searched in the past
- a searched transition history management means for storing the order of the transition in each of the linear movements performed in the past
- a searched state transition correspondence information management means for storing the transition when moving to another state in the past search in association with each of the searched states.
- Distributed environment model dependency analysis means for generating a backtrack point indicating a point to be backtracked on a path of linear movement, To act as The distributed environment model searching means is provided with a program for starting the other linear movement with the backtrack point as a start position after completing one linear movement search.
- the computer is A plurality of states can be taken, and when information indicating a distributed environment model moving between the states is acquired at a predetermined transition realized by execution of a predetermined operation executable in each state, the first state is determined.
- the state which can be taken by the distributed environment model is searched by executing a plurality of linear movements moving to the second state in which the end position is linearly obtained without branching at one or more of the transitions as the start position.
- a distributed environment model search step of determining whether the searched state satisfies a predetermined property, A searched state management step of storing the searched state searched in the past in the storage unit; A searched transition history management step of storing in the storage unit the order of the transition in each of the linear movements executed in the past; A searched state transition correspondence information management step of correlating each of the searched states with the transition when moving to another state in the past search and storing the transition in the storage unit;
- the distributed environment model dependency analysis step of generating a backtrack point indicating a point to be backtracked on a path of linear movement; Run In the distributed environment model searching step, there is provided a model inspection method for a distributed environment model, wherein the backtrack point is set as a start position after the search of one of the linear movements is ended, and the other linear movement is started.
- the apparatus may be a central processing unit (CPU) of any computer, a memory, a program loaded in the memory (in addition to a program stored in the memory from the stage of shipping the apparatus in advance, a CD (compact disc) Etc., a storage unit such as a hard disk for storing the program, a network connection interface, and the like, realized by an arbitrary combination of hardware and software. Ru. And it is understood by those skilled in the art that there are various modifications in the implementation method and apparatus.
- each device is described as being implemented by one device, but the implementation means is not limited thereto. That is, it may be a physically separated configuration or a logically separated configuration.
- the distributed environment model model inspection device 1 includes a distributed environment model search unit 11, a distributed environment model dependency relationship analysis unit 12, and a searched state management unit 13. , A searched transition history management unit 14, and a searched state transition correspondence information management unit 15.
- the distributed environment model search unit 11 exchanges information with each of the distributed environment model dependency relationship analysis unit 12, the searched state management unit 13, the searched transition history management unit 14, and the searched state transition correspondence information management unit 15. Is configured.
- the searched state transition correspondence information management unit 15 manages the correspondence relationship in order to link the searched state managed by the searched state management unit 13 with the transition managed by the searched transition history management unit 14. Each part will be described below.
- Distributed environment model search unit 11 can take a plurality of states, and acquires information indicating a distributed environment model moving between states in a predetermined transition realized by execution of a predetermined operation executable in each state. Execute a plurality of linear movements (state movement by a linear path not including a branch) moving to a second state where the first state is a start position and the branch position is a straight line without branching at one or more transitions By doing this, the state that the distributed environment model can take is searched, and it is determined whether the searched state satisfies a predetermined property. When the distributed environment model search unit 11 ends the search for one linear movement, it then starts another linear movement with the backtrack point as the start position.
- the distributed environment model search unit 11 receives, from the user via the input device, verification information D11 including the distributed environment model and the property to be satisfied by the distributed environment model. Then, the distributed environment model search unit 11 executes model checking using the received verification information D11, and includes verification result D14 including success or failure of the property and a counterexample indicating the property when the property is not satisfied. Return to the user via the output device.
- the specification of the distributed environment model may be any state transition system in which the dependency relationships and the happis-before relationship to be described later can be appropriately defined and they can be analyzed by computer processing. Also, the description format of the distributed environment model may be anything as long as it can be processed by a computer. In the first embodiment, the specification of the distributed environment model will be described as follows.
- a state is defined as a set of three elements of (N, M, Q).
- N is a set of nodes (hereinafter referred to as action subject nodes) that are action subjects in the distributed environment, and an element n of N (n ⁇ N) has a variable sw representing its state.
- M is a set of messages exchanged between action subject nodes, and an element m (m ⁇ M) of M has a variable mv representing the contents of the message.
- Q is a set of communication channels, and the element q (q ⁇ Q) of Q is a communication channel realized by variables storing a plurality of messages.
- the operation subject node can extract messages from the communication channel in any order regardless of the order in which the messages are stored in the communication channel.
- Each operation subject node has a communication channel for communicating with other operation subject nodes, one for transmission and one for reception with respect to each operation subject node capable of communicating with each other.
- the transmission communication channel for one operating subject node is the reception communication channel for the other operating subject node, and vice versa.
- the definition of the transition in the distributed environment model of the first embodiment will be described.
- the transition represents a state in which the state of the model changes (moves) when any one of the operation subject nodes present in the distributed environment model performs an operation of a specific unit.
- the operation of a specific unit is the following three types.
- the operation subject node can execute the message transmission operation according to its state sv.
- change the contents of its own state sv may not change).
- the operation subject node can execute the message receiving operation when one or more messages are stored in its own message receiving communication channel.
- the operation subject node n takes out one arbitrary message m from its own message receiving communication channel q in which one or more messages are stored. Then, the operation subject node n changes (or may not change) the contents of its state sv in accordance with the contents mv of the message m.
- the operation subject node can execute an internal operation according to its state sv.
- the operation subject node n which has executed the internal operation changes the contents of its state sv (it may not change it).
- the distributed environment model search unit 11 When changing the state, the distributed environment model search unit 11 confirms success or failure of the property included in the verification information D11 in the changed state, in addition to the operation of the model described above. If the property is not satisfied, a verification result D14 including the result that the property is not satisfied and a counterexample which shows that is returned to the user via the output device. In the verification information D11, the property may not necessarily be included. If the property is not defined, the typical property is to be verified, and thereafter the whole distributed environment model model checking device 1 operates as if the verification information D11 includes the typical property. Can.
- the distributed environment model dependency relationship analysis unit 12 executes a plurality of transitions performed in a predetermined order in the linear movement. Then, the dependency relationship and the relationships of “happens-before” are analyzed, and if necessary, a backtrack point indicating a point to be backtracked on the path of the linear movement (linear path) is generated.
- the distributed environment model search unit 11 searches for a distributed environment model representing an OpenFlow network environment
- the distributed environment model dependency relationship analysis unit 12 can analyze dependency relationships and happis-before relationships in the OpenFlow network environment. .
- the distributed environment model dependency relationship analysis unit 12 receives, from the distributed environment model search unit 11, execution path information D12 indicating the contents of the path (execution path) on which the search is actually executed.
- the execution path information D12 includes at least a first half execution path.
- the execution path information D12 may further include one or more second half execution paths connected after the first half execution path.
- the distributed environment model dependency relationship analysis unit 12 analyzes the dependency relationship and the happis-before relationship between two transitions on the execution path, using the received execution path information D12.
- the distributed environment model dependency relationship analysis unit 12 determines the dependency between the two transitions on the first half partial execution path included in the execution path information D12 and Analyze the before relationship.
- the distributed environment model dependency relationship analysis unit 12 analyzes the first half partial execution path and one second half partial execution path included in the execution path information D12 in this order Analyze the dependencies between two transitions on the execution path that can be combined and have-before relationships.
- the distributed environment model dependency relationship analysis unit 12 can combine a plurality of first half partial execution paths and a plurality of second half partial execution paths in this order.
- Execution Paths Analyze the dependencies between two transitions in each and the happens-before relationship. Then, the distributed environment model dependency relationship analysis unit 12 generates a backtrack point on the first half partial execution path based on the analysis result, and as a result (the first half partial execution path where the backtrack point is generated) D13 as a distributed environment model It returns to the search unit 11.
- a dependency is a relationship that holds between two transitions. Intuitively, changing the execution order of these two transitions (reversed) changes the result after those transitions in the state transition system. Alternatively, when one of the transitions is performed, the other transition can be or can not be performed, and a dependency relationship is established between the two transitions (dependency relationship).
- the condition that "does not hold" a dependency between transitions t1 and t2 is generally defined as follows.
- transition t1 is executable in state s1 (the state of the model) and transition from state s1 to state s2 due to transition t1, transition t2 can be performed in both states s1 and s2, or can not be performed in both It is either.
- transition t1 and t2 are executable in state s1, transition t2 is executed from state s1 if the state prior to execution of transition t2 in the state after transition t1 from state s1 is s2 The state after the transition t1 has been executed in the previous state is also s2.
- the distributed environment model dependency analysis unit 12 may analyze the success or failure of the general dependency described above. However, since it is expensive to analyze the success or failure of the general dependency described above, in the first embodiment, in consideration of the specification of the distributed environment model used here and the DPOR algorithm, Define a dependency if the condition
- the operation subject node operated at transition t1 and the operation subject node operated at transition t2 are the same operation subject node, and the contents of the state sv of the operation subject node are changed in any of the transitions.”
- the “happens-before” relation is an execution order relation between transitions which always holds on a certain model.
- the transition t1 caused by the transmission of the message m always precedes the transition t2 caused by the reception of the message m.
- the execution order relationship between the transitions that always holds from the causal relationship on the model is the happis-before relationship, which is described as t1 ⁇ t2.
- the haspens-before relationship is defined as follows.
- Transition t1 is a transition caused by message transmission by an operation subject node
- transition t2 is a transition caused by message reception by an operation subject node
- the message transmitted at transition t1 and the message received at transition t2 are the same. If it is a message, t1 ⁇ t2 " 2. “If t1 ⁇ t2 and t2 ⁇ t3, then t1 ⁇ t3”
- the data structure of the execution path information D12 will be described.
- the former half execution path included in the execution path information D12 is an array of sets of four elements of (st, tr, Backtrack, Done) (or a data structure conforming thereto).
- St is the state of the distributed environment model at a certain point in time
- tr is a transition made from the state st.
- Backtrack is a set of transitions. This set is a set of transitions to be executed from the state st (the same set of states) when backtracking in the search by the model inspection.
- Done is also a set of transitions. This set is a set of transitions that have been executed in the past from the state st (the same set of states) in the search.
- the transitions included in a set of Backtracks but not included in the set of Done are transitions that should be performed backtracking from the set of states st and have not yet been executed.
- the second half partial execution path included in the execution path information D12 is an array of transitions (or a data structure conforming to it).
- the first half execution path included in certain execution path information D12 must be exactly one, but the second half execution path may be one, plural, or none.
- a transition is a set of five elements (node, type, send, recv, change_flag).
- the node is an action subject node that has performed the operation that caused the transition
- the type is the type of the operation that caused the transition (a value representing message transmission, message reception, internal operation, and the like).
- the send is information for identifying the message sent in the operation "message transmission” that caused the transition
- the recv is the information for identifying the message received in the operation "message received” that caused the transition.
- the change_flag is a flag indicating whether or not the state sv of the operation subject node that has performed the operation causing the transition has been changed, and stores true if it has been changed, and false if it has not been changed.
- the searched state management unit 13 stores the searched state searched in the past.
- the searched-state management unit 13 receives (stores) information (information indicating the state of the distributed environment model for which the search has been performed) from the distributed environment model searching unit 11.
- the storage method may store the received state (information indicating the state) as it is, or may store a converted data (for example, a compressed data to reduce the storage capacity).
- the searched state management unit 13 receives an inquiry from the distributed environment model searching unit 11 as to whether or not the state of a distributed environment model has been searched in the past, the state in which a state that matches the state is stored
- the distributed environment model search unit 11 returns an answer of “searched” if there is one, or “not searched” if there is not.
- the searched transition history management unit 14 stores the order of transition in each of the linear movements (state movements by linear paths not including branches) executed in the past.
- the searched transition history management unit 14 receives from the distributed environment model searching unit 11 (information indicating the searched for) the transition, and stores the transition according to the graph structure described below.
- the graph is represented by nodes and directed edges connecting the nodes.
- the graph includes a root node representing a starting point of a path, and a plurality of transition nodes representing a plurality of transitions performed during a search.
- Directed edges represent the order of execution of transitions on specific paths in the distributed environment model.
- the first transition represented by the transition node from which the directed edge from the root node is drawn is the first transition made from the initial state of the distributed environment model.
- the second transition represented by the other transition node from which the directed edge from this transition node is drawn is the transition made after the first transition.
- the searched state transition correspondence information management unit 15 stores, in association with each searched state, a transition when moving to another state in the past search.
- the searched state transition correspondence information management unit 15 stores information linking the state of the distributed environment model searched in the past by the distributed environment model searching unit 11 and the transition performed from the state.
- the searched state transition correspondence information management unit 15 receives a state with a distributed environment model as an input from the distributed environment model searching unit 11 and receives an inquiry about a transition performed in a past search from that state, Using the information managed by the searched transition history management unit 14, the transition made from the state is identified, and the identified result is returned. If there are multiple transitions made from the state, all information representing those transitions is returned.
- the searched state transition correspondence information management unit 15 receives from the distributed environment model searching unit 11 a state of the distributed environment model and a certain transition as an input, and receives an instruction to link them, the state and the search A node representing the transition stored in the already-processed transition history management unit 14 is linked.
- the user creates the verification information D11, and inputs the verification information D11 to the distributed environment model searching unit 11 via the input device (step S11 in FIG. 2).
- the distributed environment model search unit 11 When receiving the verification information D11, the distributed environment model search unit 11 causes the distributed environment model included in the verification information D11 to state transition, and performs a search using one appropriate path (straight path). Then, execution path information D12 indicating the executed path is generated and delivered to the distributed environment model dependency relationship analysis unit 12 (step S12).
- the distributed environment model dependency relationship analysis unit 12 analyzes the dependency relationship and the happis-before relationship on the execution path using the execution path information D12, and generates a backtrack point on the first half execution path as necessary. And returns the result (the first half partial execution path D13 in which the backtrack point is generated) to the distributed environment model searching unit 11 (step S13).
- the distributed environment model search unit 11 determines that a predetermined backtrack point (eg, one front half execution path D13) is included if the backtrack point not backtracked is included on the first half execution path D13 (Yes in step S15). State transition of the distributed environment model is made again from the deepest backtrack point), new execution path information D12 'is obtained, and it is delivered to the distributed environment model dependency relationship analysis unit 12 (step S14).
- the distributed environment model dependency relationship analysis unit 12 analyzes the dependency relationship and the happens-before relationship on the execution path by using the execution path information D12 ′ and performs the same processing (step S13). If there is a backtrack point not backtracked on the first half portion execution path D13 (Yes in step S15), the above process is repeated.
- the distributed environment model searching unit 11 outputs a verification result D14 including success or failure of the property in the state after each transition and a counterexample indicating the property when the property is not satisfied (step S16). Then, the user confirms the verification result D14 output in step S16 (step S17).
- the distributed environment model search unit 11 performs a state transition of the distributed environment model in step S12 and performs a search using one path (straight path), and another path from a predetermined backtrack point in step S14 ( In the process of performing a search based on a straight line path, it is possible to determine the success or failure of the property in the state after the transition each time the state transition is made.
- the distributed environment model searching unit 11 becomes No in step S15, the distributed environment model searching unit 11 can collectively determine the success or failure of the property in the state (searched state) after each transition performed so far.
- the model inspection process ends at that point. And the verification result D14 may be output.
- FIG. 11 to FIG. 14 shows the state (fact) of transition between states actually performed in the search of the state st of the distributed environment model.
- “Transition”, “transition history”, “first half part execution path” and “second half part execution path” are data to be processed by the distributed environment model model inspection device of this embodiment when searching for the state st of the distributed environment model. It is shown schematically.
- Each of a plurality of transition elements Tr0 to Tr5 shown in "transition” indicates each of the feasible transitions specified by the verification information D11.
- Transition history indicates a graph of transition history managed by the searched transition history management unit 14.
- the “first half part execution path” and the “second half part execution path” indicate execution path information D12 generated by the distributed environment model searching unit 11 or the like.
- each of the transitions Tr0 to Tr5 are indicated by data of a set of five elements (node, type, send, recv, change_flag).
- the transition from the state St0 to the state St1 in the execution path indicated by “state transition state” is caused by the transition Tr0, and the action subject node is the node 1, and the action content is
- the message transmission by the operation subject node and the identification information of the transmitted message are packet 1 and that the state of the operation subject node has not changed due to the operation.
- step S12 in FIG. 2 the data of the “transition history”, “first half execution path” and “second half portion execution path” shown in FIGS. By performing the steps of, the illustrated data is gradually generated.
- step S12 will be described using FIG. 3 and FIG.
- a root node representing the initial state St0 is generated in the graph managed by the searched transition history management unit 14 (step S12_2).
- a root node of “transition history” shown in FIG. 11 is generated.
- the distributed environment model searching unit 11 causes the searched state transition correspondence information management unit 15 to associate the initial state St0 and the root node generated in step S12_2 (step S12_3).
- FIG. 11 information indicating which state st is associated with each node is described in each node (root node and transition node) in the transition history graph, but the method of associating is described in this manner. It is not limited.
- the distributed environment model searching unit 11 registers the initial state St0 in the searched state managing unit 13 (step S12_4).
- the distributed environment model searching unit 11 uses the verification information D11 to check whether there is one or more transitions that can be executed from the initial state St0 (step S12_5), and if there are any transitions tr, any transition tr Is selected to perform transition tr (transition Tr0 in the case of FIG. 11) from the initial state St0, and a state st 'after the transition (St1 in the case of FIG. 11) is generated (step S12.sub .-- 6).
- the distributed environment model searching unit 11 generates execution path elements (st, tr, Backtrack, Done) and stacks them on the execution path stack (step S12_7).
- execution path element Pe0 shown in "first half portion execution path" of FIG. 11 is generated.
- the st included in the execution path element Pe0 indicates the state before transition (St0 in the example of FIG. 11), and tr indicates the transition executed this time (Tr0 in the example of FIG. 11).
- Backtrack indicates the transition of the backtrack to be performed (in the case of the example of FIG. 11, none), and Done indicates the transition performed from the state before the transition this time and in the past (in the case of the example of FIG. Tr0).
- the distributed environment model searching unit 11 causes the graph managed by the searched transition history management unit 14 to generate the transition node Nd1 representing the transition tr performed in step S12_5, and the directed edge from the root node to the transition node Nd1 Is drawn (step S12_8).
- a transition node Nd1 transition node representing transition Tr0
- transition history shown in “transition history” of FIG. 11
- a directed edge directed from the root node to the transition node Nd1 is drawn.
- step S12_5 or Yes in step S12_10 whereby data as shown in FIG. 11 is generated.
- step S12_5 determines the contents of the execution path stack at that point (execution path element in the case of FIG. 11).
- the execution path information D12 is generated with Pe0 to Pe5) as the former half execution path and the latter half partial execution path is empty, and delivered to the distributed environment model dependency analysis unit 12 (step S12_19), and the step S12 is ended.
- step S12_10 the process after the determination in step S12_10 is Yes will be described using FIGS. 4, 12 and 13.
- step S12_10 that is, if the state st 'after a certain transition has been registered in the searched state management unit 13, the distributed environment model searching unit 11 first manages the searched state transition correspondence information All transition nodes linked with the state st 'are acquired in the unit 15 (step S12_12).
- a search is performed in the past in the path of St0 ⁇ St1 ⁇ St2 ⁇ St3 ⁇ St4 ⁇ St5 ⁇ St6, and in this case, a search is newly performed in the path of St2 ⁇ St7 ⁇ St4.
- the state St4 is determined to be registered in the searched state management unit 13 in step S12_10.
- the “transition history” and the “first half part execution path” in FIG. 12 perform the transition Tr2 from the state St7 to become the state St4, and indicate a state immediately after it is determined to be registered in the searched state management unit 13 in step S12_10. There is.
- the distributed environment model searching unit 11 acquires the transition node Nd4 linked with the state St4 in the searched state transition correspondence information managing unit 15 in step S12_12.
- the distributed environment model searching unit 11 selects a plurality of transition nodes associated with the state St4. Get everything.
- the distributed environment model searching unit 11 selects an arbitrary transition node nd2 from the transition nodes acquired in step S12_12 (step S12_13), and in the graph managed by the searched transition history management unit 14, from transition node nd2 All transition nodes nd3 that can be reached by tracing one directed edge are listed (step S12_14). Steps S12_13 to S12_14 are repeated until all transition nodes are selected in step S12_13 (Yes loop of step S12_15).
- the distributed environment model searching unit 11 acquires from the transition node Nd4 a transition node Nd5 that can be reached by tracing only one directed edge.
- step S12_16 the distributed environment model searching unit 11 selects in step S12_14 from the transition nodes representing the transition to become the state st ′ determined as registered in step S12_10 in the graph managed by the searched transition history management unit 14 For each of the transition nodes nd3, a directed edge is drawn (step S12_16).
- the directed edge toward the transition node Nd5 selected in step S12_14 is drawn from the transition node Nd8 representing the transition (transition Tr2 from the state St7) in the state St4 determined to be registered.
- the state shown in FIG. 12 The state shown in FIG.
- the distributed environment model searching unit 11 sets the state st ′ as the starting state, and acquires one or more second half partial execution paths (step S12_17). After that, the distributed environment model search unit 11 takes the contents of the execution path stack at that time (execution path up to the state st 'determined to be registered in step S12_10) as the first half part execution path.
- the execution path information D12 is generated by combining the one or more latter half partial execution paths acquired in S12_17, and is passed to the distributed environment model dependency relationship analysis unit 12 (step S12_18), and the step S12 is ended.
- step S12_17 will be described in more detail with reference to FIG. 5 and FIG.
- the distributed environment model searching unit 11 extracts all transition nodes linked with the start state st ′ in the searched state transition correspondence information management unit 15 (step S12_17_1).
- the transition node Nd4 linked with the state St4 which is the starting point state st ′ is extracted.
- An execution path (one latter half partial execution path) obtained by tracing back until reaching a transition node having no directed edge to the node is acquired (step S12_17_3).
- the execution path “Tr4 ⁇ Tr5” obtained by tracing the directed edge to the end from the transition node Nd4 is acquired.
- the distributed environment model searching unit 11 stores the state in the searched state managing unit 13 each time, for example, each state is searched at the time of the Nth (N is an integer of 1 or more) linear movement search. You can check if it is. If it is stored, the search for the linear movement is ended with the state as the end position, and the information stored by the searched transition history management unit 14 and the searched state transition correspondence information management unit 15 is used, 1 executed path indicating the transition and its order performed after the state where the end position of the N-th search is reached in the past search (the N-1 and previous searches and the N-th search so far) You can get more than one.
- the distributed environment model dependency relationship analysis unit 12 determines that the path for the N-th linear movement search and one or more executed paths acquired by the distributed environment model search unit 11 (the end position for the N-th search Dependencies with respect to a plurality of transitions in a predetermined order included in a series of paths that can be obtained by combining each transition after the state and an executed path indicating the order thereof, and The analysis of the before relationship can be performed to generate a backtrack point on the path of the Nth linear movement search.
- the distributed environment model dependency analysis unit 12 first specifies an execution path to be analyzed.
- the distributed environment model dependency relationship analysis unit 12 sets the former half partial execution path included in the execution path information D12 as the analysis target execution path.
- the first half execution path is the execution path to be analyzed.
- the distributed environment model dependency relationship analysis unit 12 performs preprocessing for analyzing the happens-before relationship with respect to the execution path to be analyzed (the former half execution path). Then, when a combination of transitions having a dependency relationship and a non-happens-before relationship is specified, a backtrack point is generated in the execution path (the first half execution path). After that, the distributed environment model dependency relationship analysis unit 12 returns the execution path (first half execution path D13) for which the backtrack point has been generated to the distributed environment model searching unit 11, and ends step S13.
- the distributed environment model dependency relationship analysis unit 12 performs processing in the flow of FIG. First, the distributed environment model dependency analyzing unit 12 selects an arbitrary one from one or more second half partial execution paths included in the execution path information D12 (step S13_1). Next, an execution path formed by combining the former half execution path included in the execution path information D12 and the latter half execution path selected in step S13_1 in this order is an analysis target (step S13_2).
- the distributed environment model dependency relationship analysis unit 12 performs preprocessing for analyzing the happens-before relationship on the execution path to be analyzed (step S13_3). Furthermore, the distributed environment model dependency relationship analysis unit 12 analyzes the dependency relationship and the happines-before relationship and generates a backtrack point (step S13_4). If there are a plurality of second half partial execution paths included in the execution path information D12, steps S13_1 to S13_4 are repeated until all of them are selected in step S13_1 (step S13_5). Finally, the former half execution path D13 for which the backtrack point has been generated is returned to the distributed environment model searching unit 11 (step S13_6), and the step S13 is ended.
- Step S13_3 will be described in more detail with reference to FIG.
- an execution path element Pe having a transition that is in the relationship of having a hops-before relationship with the transition of the execution path element Pe (which necessarily occurs first) is determined. Therefore, for each execution path element Pe, a data structure (happens-before set) is prepared which holds a set of execution path elements Pe having a transition having a transition of the element and a happis-before relationship.
- the distributed environment model dependency relationship analysis unit 12 first selects the ith (i is 1 at first) execution path element Pei from the execution paths (execution path elements Pe0 to Pex) to be analyzed (step S13_3_1). Next, the j-th (j is initially 0) execution path element Pej is selected (step S13_3_2).
- transition of the execution path element Pei and the transition of the execution path element Pej are compared (step S13_3_3), and [transition of the execution path element Pej ⁇ transition of the execution path element Pei] (happens-before relation) Adds the execution path element Pej and all execution path elements included in the executions element group of the execution path element Pej to the happis-before set (initially empty) of the execution path element Pei (step S13_3_4) .
- step S13_3_3 the value of the received message recv of the transition of the execution path element Pei (identification information of the received message) and the value of the transmission message send of the execution path element Pej (identification information of the transmitted message It is compared whether or not they match, and if they match, it is assumed that there is a happins-before relationship.
- the value of j is increased by 1 (step S13_3_5).
- Steps S13_3_2 to S13_3_5 are repeated until the value of j becomes i or more (step S13_3_6).
- Step S13_3_7 When the value of j becomes i or more, the value of i is increased by 1 and the value of j is set to 0 (step S13_3_7). Steps S13_3_1 to S13_3_7 are repeated until the value of i becomes greater than the length of the execution path to be analyzed (step S13_3_8), and step S13_3 is ended.
- Step S13_4 will be described in more detail with reference to FIG.
- the model dependency relationship analysis unit 12 first selects the nth (n is initially 0) execution path element Pen out of the range of the first half execution path among the execution paths to be analyzed (step S13_4_1).
- the mth (m is initially n + 1) execution path element Pem is selected from the execution paths to be analyzed (step S13_4_2).
- the transition of the execution path element Pen and the transition of the execution path element Pem are compared, and it is checked whether they have “dependency and there is no happis-before relation” (step S13_4_3).
- step S13_4_3 With regard to the dependency relationship, if the operation subject nodes (nodes) of the transitions of the execution path elements Pen and Pem are equal and the state change flag change_flag of both transitions is true, the dependency relationship I assume.
- step S13_4_3 Regard the happis-before relationship, it is assumed that the happis-before relationship is satisfied if the executions path a is included in the “happens-before” set of the execution path element Pem.
- step S13_4_3 if it is found that the execution path elements Pen and Pem have "dependency and there is no happis-before relation", among the execution path elements included in the happines-before set of the execution path element Pem, the analysis target The backtrack point is generated by selecting the execution path element Pel at the forefront in the execution path of and adding the transition of the execution path element Pel to the backtrack set of the execution path element Pen (step S13_4_4). Next, the value of m is increased by 1 (step S13_4_5), and steps S13_4_2 to S13_4_5 are repeated until the value of m becomes larger than the length of the execution path to be analyzed (step S13_4_6).
- Step S13_4_7 When the value of m is larger than the length of the execution path to be analyzed, the value of n is increased by 1, and the value of m is set to n + 1 (step S13_4_7). Steps S13_4_1 to S13_4_7 are repeated until the value of n becomes larger than the length of the former half execution path (step S13_4_8), and step S13_4 is ended.
- Step S14 will be described in more detail with reference to FIG.
- the distributed environment model searching unit 11 first replaces the contents of the execution path stack with the first half execution path D13 acquired in step S13 (step S14_1).
- the subsequent execution path elements are removed from the execution path stack (step S14_2).
- transition tr included in the backtrack set of the execution path element Peq and not included in the done set is selected, and transition tr is performed on the state st possessed by the execution path element Peq, and the next state st ' Are generated (step S14_3).
- step S14_4 the transition possessed by the execution path element Peq is replaced with tr, and tr is added to the done set (step S14_4).
- the transition node Ndq representing the transition tr is generated in the graph managed by the searched transition history management unit 14 (step S14_5).
- all transition nodes associated with the state st are listed in the searched state transition correspondence information management unit 15, and a directed edge toward the transition node Ndq is drawn from each of them (step S14_6).
- step S14_7 the state st ′ ′ and the transition node Ndq are linked to the searched state transition correspondence information management unit 15 (step S14_7).
- step S12_10 The subsequent procedure is the same as that described in the description of step S12, and is thus omitted.
- the distributed model inspection model inspection device 1 stores and manages the searched state at the time of the search by the model inspection (searched state management unit 13), and at the same time, the contents of the transition performed in the search and the order thereof
- the searched transition is stored and managed using the graph structure representing the history that can be acquired separately (searched transition history management unit 14). Further, in managing the searched state and transition, it is linked which transition has been performed from the searched state (searched state transition correspondence information management unit 15).
- the distributed environment model search unit 11 When the distributed environment model search unit 11 receives the verification information D11 including the distributed environment model and the property to be satisfied by the distributed environment model from the user via the input device, the model inspection is executed using the verification information D11 Then, a verification result D11 including the success or failure of the property and a counterexample indicating that the property is not satisfied is returned to the user via the output device.
- the distributed environment model is assumed to be a model representing a network (OpenFlow network) environment controlled by OpenFlow, and its specification may be any state transition system conforming to the OpenFlow specification.
- the description format of the distributed environment model may be anything that can be processed by a computer.
- the specification of the distributed environment model will be described as follows.
- the definition of the state in the distributed environment model of the second embodiment will be described.
- the state is defined as a set of six elements of (T, S, C, P, M, Q).
- T is a set of terminals, and an element t of T (t ⁇ T) has a variable sv representing its state.
- S is a set of switches, and an element s (sSS) of S has a variable E representing a set of flow entries installed in the switch.
- the element e (e ⁇ E) of E is a flow entry, and is defined as a set of (mr, af) by a value mr representing the content of the matching rule and a value af representing the content of the action field.
- C is a set of controllers, and an element c (c ⁇ C) of C has a variable V representing a set of variables handled globally by each operation model of the controller c.
- the element v (v ⁇ V) of V is one of the variables handled by the controller's operation model globally, and is a set of (vn, vv) by the value vn representing the name of the variable and the value vv representing the contents of the variable Defined as P is a set of packets, and an element p of P (p) P) has a variable pv that represents the contents of the packet.
- M is a set of OpenFlow messages, and an element m of M (m) M) has a variable mv that represents the contents of the OpenFlow message.
- Q is a set of communication ports, and an element q of Q (q ⁇ Q) is a communication port realized by a FIFO (First In, First Out) queue for storing packets and OpenFlow messages.
- FIFO First In, First Out
- Each terminal / switch controller has a communication port for communicating with other terminals / switch controllers, one for transmission and one for each of the terminals / switch controllers capable of communicating with each other.
- the communication port for transmission to one terminal switch controller is the communication port for reception to one other terminal switch controller, and vice versa.
- the terminal switch controller may be generically referred to as a node.
- the definition of the transition in the distributed environment model of the second embodiment will be described.
- the transition represents a state in which the state of the model changes when any of the terminals, switches, and controllers present in the distributed environment model (OpenFlow network) executes an operation of a specific unit.
- the operation of a specific unit is the following six types.
- the terminal can perform a packet transmission operation according to its state sv.
- the packet reception by the terminal will be described.
- the terminal can execute a packet reception operation when one or more packets are stored in its own packet reception communication port.
- the terminal t takes out the packet p stored first from its own packet reception communication port q in which one or more packets are stored. Then, the contents of its own state sv are changed (or not changed) in accordance with the contents pv of the packet p.
- the flow entry application by the switch will be described.
- the switch should execute the flow entry application operation when one or more packets are stored in its own packet reception communication port, and the switch has a flow entry applicable to the packet first stored in the packet reception port. Is possible.
- the packet p stored first is taken out from the packet reception communication port q of the switch s where one or more packets are stored.
- the matching rule mr of each flow entry possessed by the switch s is compared with the content pv of the packet p, and one flow entry e applicable to the packet p is selected.
- the operation is performed according to the action field af of the flow entry e.
- the switch stores one or more packets in its packet reception communication port and does not have a flow entry applicable to the packet first stored in the packet reception port, it performs a Packet-In message transmission operation. It is possible to carry out.
- the packet-in message transmission operation of the switch first, the packet p stored first is taken out from the packet reception communication port q1 of the switch s where one or more packets are stored.
- a Packet-In message m including the information of the packet p is stored in the OpenFlow message transmission communication port q2 corresponding to the controller.
- the OpenFlow message reception by the switch will be described.
- the switch can execute the OpenFlow message reception operation when one or more OpenFlow messages are stored in its own OpenFlow message reception communication port.
- the OpenFlow message m stored first is extracted from the communication port q for receiving OpenFlow messages of the switch s in which one or more OpenFlow messages are stored.
- the operation is executed according to the content mv of the OpenFlow message m.
- the controller can execute a program execution operation when one or more OpenFlow messages are stored in its own OpenFlow message reception communication port.
- the program execution operation of the controller first, one OpenFlow message m stored first is taken out from the communication port q for receiving OpenFlow messages of the controller c in which one or more OpenFlow messages are stored.
- the one corresponding to mv is executed (if not defined, the OpenFlow specification is Perform the default behavior specified in
- a transition is a set of seven elements (node, type, send, recv, port, install, apply).
- the node is an action entity (any one of a terminal, a switch, and a controller) that has operated at the transition, and type is a type of the action that caused the transition (a value representing any of the above six types of actions).
- send represents a packet transmitted in the transition or a set of OpenFlow messages
- recv represents a packet received in the transition or the OpenFlow message.
- the port represents the reception communication port in which the packet received in the transition or the OpenFlow message was stored.
- install represents the flow entry installed in the transition
- apply represents the flow entry applied in the transition.
- the transition data based on this data structure is generated after the values of the respective fields are appropriately set according to the contents of the transition when the state transitions in the search by the distributed environment model search unit 11.
- Step S13_3 in FIG. 6 will be described in more detail with reference to FIG.
- the flow of the procedure of step S13_3 is the same as that of the first embodiment, but the contents of step S13_3_3 are different, so only the contents of step S13_3_3 will be described, and the other parts will be omitted.
- step S13_3_3 the transition of the execution path element Pei and the transition of the execution path element Pej are compared, and it is confirmed whether or not “transition of execution path element Pej ⁇ transition of execution path element Pei” (happens-before relation). Specifically, first, it is checked whether the received message recv of the transition of the execution path element Pei is included in the transmission message set send of the execution path element Pej. If it is included, it is assumed that there is a hands-before relationship.
- the execution path element Pea having a transition having send including the reception message recv of the Pei transition among the execution paths to be analyzed and the transition having the send including the reception message recv of the transition of Pej on the transition The execution path element Peb is searched, and it is confirmed whether or not Peb is included in the “happens-before” set of the execution path element Pea. If it is included, it is assumed that there is a hands-before relationship, and if it is not included, it is determined that there is no happens-before relationship.
- Step S13_4 of FIG. 6 will be described in more detail with reference to FIG.
- the flow of the procedure of step S13_4 is the same as that of the first embodiment, but the contents of step S13_4_3 are different, so only the contents of step S13_4_3 will be described, and the other parts will be omitted.
- step S 13 _ 4 _ 3 the transition of the execution path element Pen and the transition of the execution path element Pem are compared, and it is confirmed whether they have “dependence and there is no happis-before relation”.
- the comparisons in step S13_4_3 with regard to the dependency relationship, it is assumed that there is a dependency relationship if the operation subject node nodes of the transitions of the execution path elements Pen and Pem match.
- the happies-before relationship is omitted because it is the same as step S13_4_3 in the first embodiment.
- the distributed model inspection model inspection apparatus stores and manages the searched state at the time of the search by the model inspection (searched state management unit 13), and at the same time, the contents of the transition performed in the search and the order thereof Using the graph structure representing the history that can be acquired separately for each path, and stores and manages the searched transition (searched transition history management unit 14). Further, in managing the searched state and transition, it is linked which transition has been performed from the searched state (searched state transition correspondence information management unit 15).
- the distributed environment model model checking device 3 includes a distributed environment model searching unit 11, a distributed environment model dependency analyzing unit 12, a searched state managing unit 13, and a search. It includes a completed transition history management unit 14, a searched state transition correspondence information management unit 15, and a verification information template providing unit 36.
- the distributed environment model search unit 11 includes the distributed environment model dependency relationship analysis unit 12, the searched state management unit 13, the searched transition history management unit 14, the searched state transition correspondence information management unit 15, and the verification information model providing unit 36. And are configured to exchange information.
- the searched state transition correspondence information management unit 15 manages the correspondence relationship in order to link the searched state managed by the searched state management unit 13 with the transition managed by the searched transition history management unit 14.
- verification information template provision unit 36 selectably provides one or more typical templates for the property included in verification information D11, and selects one of them. Input from the user. Then, the verification information template providing unit 36 has a function capable of using the selected template as a part or all of the property definition and inputting it to the distributed environment model searching unit 11.
- the configurations of the distributed environment model search unit 11, the distributed environment model dependency relationship analysis unit 12, the searched state management unit 13, the searched transition history management unit 14, and the searched state transition correspondence information management unit 15 are the first and second ones. Since the second embodiment is the same as the second embodiment, the description here is omitted.
- step S11 of FIG. 2 the user selects some desired templates from the verification information template providing apparatus 36, uses them to complete the verification information D11, and inputs the verification information D11 to the distributed environment model searching unit 11.
- the user may create the verification information D11 without using the template at all. Other operations are omitted because they are the same as in the first and second embodiments.
- model inspection device for distributed environment model when constructing a distributed environment, for example, an OpenFlow network environment or changing the environment, their validity A tool to verify can be considered.
- a plurality of states can be taken, and when information indicating a distributed environment model moving between the states is acquired at a predetermined transition realized by execution of a predetermined operation executable in each state, the first state is determined.
- the state which can be taken by the distributed environment model is searched by executing a plurality of linear movements moving to the second state in which the end position is linearly obtained without branching at one or more of the transitions as the start position.
- a distributed environment model search unit that determines whether the searched state satisfies a predetermined property, A searched state management unit that stores the searched states searched in the past; A searched transition history management unit which stores the order of the transition in each of the linear movements performed in the past; A searched state transition correspondence information management unit which associates and stores the transition when moving to another state in the past search to each of the searched states; When the distributed environment model search unit ends one of the linear movements, analysis of dependency relationships and haspens-before relation is performed on a plurality of the transitions executed in a predetermined order in the linear movements.
- a distributed environment model dependency analysis unit that generates a backtrack point indicating a point to be backtracked on a path of linear movement; Have The distributed environment model searching unit starts the other linear movement with the backtrack point as a start position after the search of one linear movement is finished. 2.
- the distributed environment model search unit confirms whether or not the state searched at the time of the search for the N-th (N is an integer of 1 or more) at the time of the linear movement search is stored in the searched state management unit.
- the distributed environment model dependency relationship analysis unit can be formed by combining the path of the search for the Nth linear movement search and each of one or more executed paths acquired by the distributed environment model search unit in this order. Analysis of the dependency and the experiences-before relationship is performed on a plurality of the transitions in a predetermined order included in the subsequent path, and the backtracking is performed on the path of the search for the Nth linear movement.
- Model inspection device for distributed environment model that generates points.
- the distributed environment model dependency analyzing unit determines the dependency with respect to each of the plurality of continuous paths formed by combining the first linear movement path and each of the plurality of executed paths in this order. And a model checking device for a distributed environment model that analyzes the plays-before relationship and generates the backtrack point on the path of the first linear movement. 4.
- the distributed environment model searching unit searches for a distributed environment model representing an OpenFlow network environment,
- the distributed environment model dependency analysis unit analyzes a dependency and a happenings-before relationship in the OpenFlow network environment. 5.
- the distributed environment model model inspection device includes a function of receiving the property as an input from a user. 6.
- the system further includes a verification information template providing unit for providing the template of the property selectably to the user and accepting user input for selecting one or more of the provided templates.
- the distributed environment model model inspection device wherein the distributed environment model search unit acquires the verification information including the property in which the model received by the verification information model providing unit is partially or entirely.
- a plurality of states can be taken, and when information indicating a distributed environment model moving between the states is acquired at a predetermined transition realized by execution of a predetermined operation executable in each state, the first state is determined.
- the state which can be taken by the distributed environment model is searched by executing a plurality of linear movements moving to the second state in which the end position is linearly obtained without branching at one or more of the transitions as the start position.
- Distributed environment model searching means for determining whether the searched state satisfies a predetermined property, Searched state management means for storing the searched states searched in the past; A searched transition history management means for storing the order of the transition in each of the linear movements performed in the past; A searched state transition correspondence information management means for storing the transition when moving to another state in the past search in association with each of the searched states.
- Distributed environment model dependency analysis means for generating a backtrack point indicating a point to be backtracked on a path of linear movement, To act as A program for causing the distributed environment model searching means to start the other linear movement with the backtrack point as a start position after finishing the search for one linear movement. 7-2.
- the distributed environment model searching means confirms that the searched state managing unit stores the searched state during the search for the Nth (N is an integer of 1 or more) for the linear movement, and is stored Using the information as an end position to end the search for the Nth linear movement, and using information stored by the searched transition history management means and the searched state transition correspondence information management means to search the past Causing one or more executed paths indicating the transition and the order thereof to be performed after the state at which the search for the N-th linear movement ends, and
- the distributed environment model dependency relationship analysis means can be formed by combining the path of the search for the N-th linear movement search and each of one or more executed paths acquired by the distributed environment model searching unit in this order The analysis of the dependency relationship and the happis-before relationship is performed on a plurality of the transitions in a predetermined order included in the subsequent path, and the back of the search for the Nth linear movement is searched for A program that generates track points.
- the computer In addition to providing the template of the property selectably to the user, and further serving as a verification information template providing means for receiving user input for selecting one or more of the provided templates, A program for causing the distributed environment model searching means to acquire the verification information including the property in which the model received by the verification information model providing means is partially or entirely.
- the computer is A plurality of states can be taken, and when information indicating a distributed environment model moving between the states is acquired at a predetermined transition realized by execution of a predetermined operation executable in each state, the first state is determined.
- the state which can be taken by the distributed environment model is searched by executing a plurality of linear movements moving to the second state in which the end position is linearly obtained without branching at one or more of the transitions as the start position.
- a distributed environment model search step of determining whether the searched state satisfies a predetermined property, A searched state management step of storing the searched state searched in the past in the storage unit; A searched transition history management step of storing in the storage unit the order of the transition in each of the linear movements executed in the past; A searched state transition correspondence information management step of correlating each of the searched states with the transition when moving to another state in the past search and storing the transition in the storage unit;
- the dependency relationship and the happis-before relationship are analyzed for a plurality of the transitions executed in a predetermined order in the linear movement, A distributed environment model dependency analysis step of generating a backtrack point indicating a point to be backtracked on a path of linear movement; Run In the distributed environment
- the distributed environment model searching step it is confirmed whether the state searched at the time of the search for the Nth (N is an integer of 1 or more) for the linear movement is stored in the storage unit. Ending the search for the Nth linear movement with the end position, and using the information stored in the storage unit, the previous search end position for the Nth linear movement in the past search Acquire one or more executed paths indicating the transition and the order of the transitions performed since the state, In the distributed environment model dependency relationship analysis step, it is possible to combine the path of the search for the N-th linear movement with the one or more executed paths acquired by the distributed environment model searching unit in this order.
- Model checking method for distributed environment model that generates points. 8-3.
- the model inspection method for distributed environment model described in 8-2 When a plurality of the executed paths are acquired in the distributed environment model search step: In the distributed environment model dependency analyzing step, the dependency is obtained for each of the plurality of continuous paths formed by combining the first linear movement path and each of the plurality of executed paths in this order. And a model inspection method for a distributed environment model, which analyzes the "happens-before" relationship and generates the backtrack point on the path of the first linear movement. 8-4.
- the distributed environment model search step a distributed environment model representing an OpenFlow network environment is searched,
- the distributed environment model dependency analysis step a model inspection method for a distributed environment model, which analyzes the dependency and the happis-before relationship in the OpenFlow network environment. 8-5.
- the model checking method for a distributed environment model according to any one of 8 to 8-4 a model inspection method for a distributed environment model that receives the property as an input from a user. 8-6.
- the computer is Providing a template of the property selectably to the user, and further executing a verification information template providing step of accepting user input to select one or more of the provided templates;
- a distributed environment model model checking method for acquiring the verification information including the property in which the template received in the verification information model providing step is partially or entirely.
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Quality & Reliability (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Debugging And Monitoring (AREA)
- Stored Programmes (AREA)
Abstract
Description
複数の状態をとることができ、各状態時に実行可能な所定の動作の実行により実現される所定の遷移で前記状態間を移動する分散環境モデルを示す情報を取得すると、第1の前記状態を開始位置とし、1つ以上の前記遷移で分岐することなく直線的に終了位置となる第2の前記状態まで移動する直線移動を複数実行することで前記分散環境モデルがとり得る前記状態を探索するとともに、探索した前記状態が所定のプロパティを満たすか否かを判定する分散環境モデル探索部と、
過去に探索された探索済みの前記状態を記憶する探索済み状態管理部と、
過去に実行された前記直線移動各々における前記遷移の順序を記憶する探索済み遷移履歴管理部と、
探索済みの前記状態各々に、過去の前記探索において他の前記状態に移動した時の前記遷移を対応付けて記憶する探索済み状態遷移対応情報管理部と、
前記分散環境モデル探索部が1つの前記直線移動を終了すると、当該直線移動において所定の順序で実行された複数の前記遷移に対して、依存関係、及び、happens-before関係の解析を行い、当該直線移動のパス上にバックトラックすべき地点を示すバックトラック地点を生成する分散環境モデル依存関係解析部と、
を有し、
前記分散環境モデル探索部は、1つの前記直線移動の探索を終了すると、その後、前記バックトラック地点を開始位置として、他の前記直線移動を開始する分散環境モデル用モデル検査装置が提供される。
コンピュータを、
複数の状態をとることができ、各状態時に実行可能な所定の動作の実行により実現される所定の遷移で前記状態間を移動する分散環境モデルを示す情報を取得すると、第1の前記状態を開始位置とし、1つ以上の前記遷移で分岐することなく直線的に終了位置となる第2の前記状態まで移動する直線移動を複数実行することで前記分散環境モデルがとり得る前記状態を探索するとともに、探索した前記状態が所定のプロパティを満たすか否かを判定する分散環境モデル探索手段、
過去に探索された探索済みの前記状態を記憶する探索済み状態管理手段、
過去に実行された前記直線移動各々における前記遷移の順序を記憶する探索済み遷移履歴管理手段、
探索済みの前記状態各々に、過去の前記探索において他の前記状態に移動した時の前記遷移を対応付けて記憶する探索済み状態遷移対応情報管理手段、
前記分散環境モデル探索部が1つの前記直線移動を終了すると、当該直線移動において所定の順序で実行された複数の前記遷移に対して、依存関係、及び、happens-before関係の解析を行い、当該直線移動のパス上にバックトラックすべき地点を示すバックトラック地点を生成する分散環境モデル依存関係解析手段、
として機能させ、
前記分散環境モデル探索手段に、1つの前記直線移動の探索を終了すると、その後、前記バックトラック地点を開始位置として、他の前記直線移動を開始させるプログラムが提供される。
コンピュータが、
複数の状態をとることができ、各状態時に実行可能な所定の動作の実行により実現される所定の遷移で前記状態間を移動する分散環境モデルを示す情報を取得すると、第1の前記状態を開始位置とし、1つ以上の前記遷移で分岐することなく直線的に終了位置となる第2の前記状態まで移動する直線移動を複数実行することで前記分散環境モデルがとり得る前記状態を探索するとともに、探索した前記状態が所定のプロパティを満たすか否かを判定する分散環境モデル探索工程と、
過去に探索された探索済みの前記状態を記憶部に記憶させる探索済み状態管理工程と、
過去に実行された前記直線移動各々における前記遷移の順序を記憶部に記憶させる探索済み遷移履歴管理工程と、
探索済みの前記状態各々に、過去の前記探索において他の前記状態に移動した時の前記遷移を対応付けて記憶部に記憶させる探索済み状態遷移対応情報管理工程と、
前記分散環境モデル探索工程で1つの前記直線移動を終了すると、当該直線移動において所定の順序で実行された複数の前記遷移に対して、依存関係、及び、happens-before関係の解析を行い、当該直線移動のパス上にバックトラックすべき地点を示すバックトラック地点を生成する分散環境モデル依存関係解析工程と、
を実行し、
前記分散環境モデル探索工程では、1つの前記直線移動の探索を終了すると、その後、前記バックトラック地点を開始位置として、他の前記直線移動を開始する分散環境モデル用モデル検査方法が提供される。
[構成]
まず、図面を参照しながら本発明の第1の実施の形態の構成について詳細に説明する。
2.動作主体ノードによるメッセージ受信
3.動作主体ノードによる内部動作
動作主体ノードによるメッセージ送信について説明する。動作主体ノードは、自身の状態svに応じて、メッセージ送信動作を実行することが可能である。当該動作では、動作主体ノードnがメッセージmを1つ生成して、動作主体ノードnのメッセージ送信用通信チャネル(=動作主体ノードn以外のある動作主体ノードにとっての受信用通信チャネル)にメッセージmを格納し、自身の状態svの内容を変更する(変更しない場合もある)。
2.「状態s1において遷移t1とt2が実行可能である場合、状態s1から遷移t1を実行した先の状態で遷移t2を実行した先の状態がs2であるならば、状態s1から遷移t2を実行した先の状態で遷移t1を実行した先の状態もs2である。」
2.「t1→t2であり、t2→t3である場合、t1→t3」
次に、第1の実施の形態の動作について詳細に説明する。
[効果]
次に、本発明の第2の実施の形態について図面を参照して詳細に説明する。以下では、第1の実施の形態と同様の部分の説明は省略し、異なる部分についてのみ説明する。
[構成]
2. 端末によるパケット受信
3. スイッチによるフローエントリ適用
4. スイッチによるPacket-Inメッセージ送信
5. スイッチによるOpenFlowメッセージ受信
6. コントローラによるプログラム実行
端末によるパケット送信について説明する。端末は、自身の状態svに応じて、パケット送信動作を実行することが可能である。端末のパケット送信では、端末tがパケットpを1つ生成して、端末tの送信用通信ポート(=あるスイッチsにとってのパケット受信用通信ポート)にパケットpを格納し、自身の状態svの内容を変更する(変更しない場合もある)。
2.「遷移t1でインストールされるフローエントリと、遷移t2で適用されるフローエントリが同じである場合、t1→t2」
3.「遷移t1で受信されるパケットあるいはOpenFlowメッセージpm1と、遷移t2で受信されるパケットあるいはOpenFlowメッセージpm2と、は同じ受信用通信ポートqに格納されており、pm1をqに格納した遷移t3と、pm2をqに格納した遷移t4と、がt3→t4である場合、t1→t2」
4.「t1→t2であり、t2→t3である場合、t1→t3」
次に、第2の実施の形態の動作について詳細に説明する。基本的な流れは第1の実施形態と同様である。以下、異なる部分の説明を行う。
本実施形態の分散モデル検査用モデル検査装置は、モデル検査による探索の際、探索した状態を保存し管理する(探索済み状態管理部13)と同時に、探索において行われた遷移の内容とその順序をパス毎に区別して取得可能な履歴を表すグラフ構造を用いて、探索した遷移を保存し管理する(探索済み遷移履歴管理部14)。また、探索した状態及び遷移の管理にあたり、探索済み状態からどの遷移が行われたかを紐付けておく(探索済み状態遷移対応情報管理部15)。
次に、本発明の第3の実施の形態について図面を参照して詳細に説明する。以下では、第1及び第2の実施の形態と同様の部分の説明は省略し、異なる部分についてのみ説明する。
まず、図面を参照しながら本発明の第3の実施の形態の構成について詳細に説明する。
ユーザーは、図2のステップS11において、検証情報雛形提供装置36から所望の雛形をいくつか選択し、それらを用いて検証情報D11を完成させ、分散環境モデル探索部11に入力する。ユーザーは雛形を全く用いず検証情報D11を作成してもよい。その他の動作は、第1及び第2の実施の形態と同様のため省略する。
ユーザーが本実施形態の分散環境モデル用モデル検査装置を利用するにあたり、検証情報D11を作成する負担を軽減することができるため、結果として検証全体の効率を向上させることができる。また、本実施形態によれば、第1及び第2の実施形態と同様の作用効果を実現することができる。
1. 複数の状態をとることができ、各状態時に実行可能な所定の動作の実行により実現される所定の遷移で前記状態間を移動する分散環境モデルを示す情報を取得すると、第1の前記状態を開始位置とし、1つ以上の前記遷移で分岐することなく直線的に終了位置となる第2の前記状態まで移動する直線移動を複数実行することで前記分散環境モデルがとり得る前記状態を探索するとともに、探索した前記状態が所定のプロパティを満たすか否かを判定する分散環境モデル探索部と、
過去に探索された探索済みの前記状態を記憶する探索済み状態管理部と、
過去に実行された前記直線移動各々における前記遷移の順序を記憶する探索済み遷移履歴管理部と、
探索済みの前記状態各々に、過去の前記探索において他の前記状態に移動した時の前記遷移を対応付けて記憶する探索済み状態遷移対応情報管理部と、
前記分散環境モデル探索部が1つの前記直線移動を終了すると、当該直線移動において所定の順序で実行された複数の前記遷移に対して、依存関係、及び、happens-before関係の解析を行い、当該直線移動のパス上にバックトラックすべき地点を示すバックトラック地点を生成する分散環境モデル依存関係解析部と、
を有し、
前記分散環境モデル探索部は、1つの前記直線移動の探索を終了すると、その後、前記バックトラック地点を開始位置として、他の前記直線移動を開始する分散環境モデル用モデル検査装置。
2. 1に記載の分散環境モデル用モデル検査装置において、
前記分散環境モデル探索部は、N回目(Nは1以上の整数)の前記直線移動の前記探索時に探索した前記状態が前記探索済み状態管理部に記憶されているか確認し、記憶されている場合、当該状態を終了位置としてN回目の前記直線移動の前記探索を終了するとともに、前記探索済み遷移履歴管理部及び前記探索済み状態遷移対応情報管理部が記憶する情報を利用して、過去の探索においてN回目の前記直線移動の前記探索の終了位置となった前記状態以降に行われた前記遷移及びその順序を示す実行済みパスを1つ以上取得し、
前記分散環境モデル依存関係解析部は、N回目の前記直線移動の前記探索のパスと、前記分散環境モデル探索部が取得した1つ以上の前記実行済みパス各々とをこの順に結合してできる一続きのパスに含まれる所定の順序の複数の前記遷移に対して、前記依存関係、及び、前記happens-before関係の解析を行い、N回目の前記直線移動の前記探索のパス上に前記バックトラック地点を生成する分散環境モデル用モデル検査装置。
3. 2に記載の分散環境モデル用モデル検査装置において、
前記分散環境モデル探索部が複数の前記実行済みパスを取得した場合、
前記分散環境モデル依存関係解析部は、前記第1の直線移動のパスと、複数の前記実行済みパス各々とをこの順に結合してできる複数の前記一続きのパス各々に対して、前記依存関係、及び、前記happens-before関係の解析を行い、前記第1の直線移動のパス上に前記バックトラック地点を生成する分散環境モデル用モデル検査装置。
4. 1から3のいずれかに記載の分散環境モデル用モデル検査装置において、
前記分散環境モデル探索部は、OpenFlowネットワーク環境を表す分散環境モデルの探索を行い、
前記分散環境モデル依存関係解析部は、前記OpenFlowネットワーク環境における依存関係及びhappens-before関係の解析を行う分散環境モデル用モデル検査装置。
5. 1から4のいずれかに記載の分散環境モデル用モデル検査装置において、
前記分散環境モデル探索部は、前記プロパティを、ユーザーからの入力として受け付ける機能を備える分散環境モデル用モデル検査装置。
6. 5に記載の分散環境モデル用モデル検査装置において、
ユーザーに対して選択可能に前記プロパティの雛形を提供するとともに、提供した雛形の中から1つ以上を選択するユーザー入力を受け付ける検証情報雛形提供部をさらに有し、
前記分散環境モデル探索部は、前記検証情報雛形提供部が受け付けた前記雛形を一部又は全部とした前記プロパティを含む前記検証情報を取得する分散環境モデル用モデル検査装置。
7. コンピュータを、
複数の状態をとることができ、各状態時に実行可能な所定の動作の実行により実現される所定の遷移で前記状態間を移動する分散環境モデルを示す情報を取得すると、第1の前記状態を開始位置とし、1つ以上の前記遷移で分岐することなく直線的に終了位置となる第2の前記状態まで移動する直線移動を複数実行することで前記分散環境モデルがとり得る前記状態を探索するとともに、探索した前記状態が所定のプロパティを満たすか否かを判定する分散環境モデル探索手段、
過去に探索された探索済みの前記状態を記憶する探索済み状態管理手段、
過去に実行された前記直線移動各々における前記遷移の順序を記憶する探索済み遷移履歴管理手段、
探索済みの前記状態各々に、過去の前記探索において他の前記状態に移動した時の前記遷移を対応付けて記憶する探索済み状態遷移対応情報管理手段、
前記分散環境モデル探索部が1つの前記直線移動を終了すると、当該直線移動において所定の順序で実行された複数の前記遷移に対して、依存関係、及び、happens-before関係の解析を行い、当該直線移動のパス上にバックトラックすべき地点を示すバックトラック地点を生成する分散環境モデル依存関係解析手段、
として機能させ、
前記分散環境モデル探索手段に、1つの前記直線移動の探索を終了すると、その後、前記バックトラック地点を開始位置として、他の前記直線移動を開始させるプログラム。
7-2. 7に記載のプログラムにおいて、
前記分散環境モデル探索手段に、N回目(Nは1以上の整数)の前記直線移動の前記探索時に探索した前記状態が前記探索済み状態管理部に記憶されているか確認させ、記憶されている場合、当該状態を終了位置としてN回目の前記直線移動の前記探索を終了させるとともに、前記探索済み遷移履歴管理手段及び前記探索済み状態遷移対応情報管理手段が記憶する情報を利用して、過去の探索においてN回目の前記直線移動の前記探索の終了位置となった前記状態以降に行われた前記遷移及びその順序を示す実行済みパスを1つ以上取得させ、
前記分散環境モデル依存関係解析手段に、N回目の前記直線移動の前記探索のパスと、前記分散環境モデル探索部が取得した1つ以上の前記実行済みパス各々とをこの順に結合してできる一続きのパスに含まれる所定の順序の複数の前記遷移に対して、前記依存関係、及び、前記happens-before関係の解析を行わせ、N回目の前記直線移動の前記探索のパス上に前記バックトラック地点を生成させるプログラム。
7-3. 7-2に記載のプログラムにおいて、
前記分散環境モデル探索手段が複数の前記実行済みパスを取得した場合、
前記分散環境モデル依存関係解析手段に、前記第1の直線移動のパスと、複数の前記実行済みパス各々とをこの順に結合してできる複数の前記一続きのパス各々に対して、前記依存関係、及び、前記happens-before関係の解析を行わせ、前記第1の直線移動のパス上に前記バックトラック地点を生成させるプログラム。
7-4. 7から7-3のいずれかに記載のプログラムにおいて、
前記分散環境モデル探索手段に、OpenFlowネットワーク環境を表す分散環境モデルの探索を行わせ、
前記分散環境モデル依存関係解析手段に、前記OpenFlowネットワーク環境における依存関係及びhappens-before関係の解析を行わせるプログラム。
7-5. 7から7-4のいずれかに記載のプログラムにおいて、
前記分散環境モデル探索手段に、前記プロパティを、ユーザーからの入力として受け付ける機能を備えさせるプログラム。
7-6. 7-5に記載のプログラムにおいて、
前記コンピュータを、
ユーザーに対して選択可能に前記プロパティの雛形を提供するとともに、提供した雛形の中から1つ以上を選択するユーザー入力を受け付ける検証情報雛形提供手段としてさらに機能させ、
前記分散環境モデル探索手段に、前記検証情報雛形提供手段が受け付けた前記雛形を一部又は全部とした前記プロパティを含む前記検証情報を取得させるプログラム。
8. コンピュータが、
複数の状態をとることができ、各状態時に実行可能な所定の動作の実行により実現される所定の遷移で前記状態間を移動する分散環境モデルを示す情報を取得すると、第1の前記状態を開始位置とし、1つ以上の前記遷移で分岐することなく直線的に終了位置となる第2の前記状態まで移動する直線移動を複数実行することで前記分散環境モデルがとり得る前記状態を探索するとともに、探索した前記状態が所定のプロパティを満たすか否かを判定する分散環境モデル探索工程と、
過去に探索された探索済みの前記状態を記憶部に記憶させる探索済み状態管理工程と、
過去に実行された前記直線移動各々における前記遷移の順序を記憶部に記憶させる探索済み遷移履歴管理工程と、
探索済みの前記状態各々に、過去の前記探索において他の前記状態に移動した時の前記遷移を対応付けて記憶部に記憶させる探索済み状態遷移対応情報管理工程と、
前記分散環境モデル探索工程で1つの前記直線移動を終了すると、当該直線移動において所定の順序で実行された複数の前記遷移に対して、依存関係、及び、happens-before関係の解析を行い、当該直線移動のパス上にバックトラックすべき地点を示すバックトラック地点を生成する分散環境モデル依存関係解析工程と、
を実行し、
前記分散環境モデル探索工程では、1つの前記直線移動の探索を終了すると、その後、前記バックトラック地点を開始位置として、他の前記直線移動を開始する分散環境モデル用モデル検査方法。
8-2. 8に記載の分散環境モデル用モデル検査方法において、
前記分散環境モデル探索工程では、N回目(Nは1以上の整数)の前記直線移動の前記探索時に探索した前記状態が前記記憶部に記憶されているか確認し、記憶されている場合、当該状態を終了位置としてN回目の前記直線移動の前記探索を終了するとともに、前記記憶部が記憶する情報を利用して、過去の探索においてN回目の前記直線移動の前記探索の終了位置となった前記状態以降に行われた前記遷移及びその順序を示す実行済みパスを1つ以上取得し、
前記分散環境モデル依存関係解析工程では、N回目の前記直線移動の前記探索のパスと、前記分散環境モデル探索部が取得した1つ以上の前記実行済みパス各々とをこの順に結合してできる一続きのパスに含まれる所定の順序の複数の前記遷移に対して、前記依存関係、及び、前記happens-before関係の解析を行い、N回目の前記直線移動の前記探索のパス上に前記バックトラック地点を生成する分散環境モデル用モデル検査方法。
8-3. 8-2に記載の分散環境モデル用モデル検査方法において、
前記分散環境モデル探索工程で複数の前記実行済みパスを取得した場合、
前記分散環境モデル依存関係解析工程で、前記第1の直線移動のパスと、複数の前記実行済みパス各々とをこの順に結合してできる複数の前記一続きのパス各々に対して、前記依存関係、及び、前記happens-before関係の解析を行い、前記第1の直線移動のパス上に前記バックトラック地点を生成する分散環境モデル用モデル検査方法。
8-4. 8から8-3のいずれかに記載の分散環境モデル用モデル検査方法において、
前記分散環境モデル探索工程では、OpenFlowネットワーク環境を表す分散環境モデルの探索を行い、
前記分散環境モデル依存関係解析工程では、前記OpenFlowネットワーク環境における依存関係及びhappens-before関係の解析を行う分散環境モデル用モデル検査方法。
8-5. 8から8-4のいずれかに記載の分散環境モデル用モデル検査方法において、
前記分散環境モデル探索工程では、前記プロパティを、ユーザーからの入力として受け付ける分散環境モデル用モデル検査方法。
8-6. 8-5に記載の分散環境モデル用モデル検査方法において、
前記コンピュータは、
ユーザーに対して選択可能に前記プロパティの雛形を提供するとともに、提供した雛形の中から1つ以上を選択するユーザー入力を受け付ける検証情報雛形提供工程をさらに実行し、
前記分散環境モデル探索工程では、前記検証情報雛形提供工程で受け付けた前記雛形を一部又は全部とした前記プロパティを含む前記検証情報を取得する分散環境モデル用モデル検査方法。
Claims (8)
- 複数の状態をとることができ、各状態時に実行可能な所定の動作の実行により実現される所定の遷移で前記状態間を移動する分散環境モデルを示す情報を取得すると、第1の前記状態を開始位置とし、1つ以上の前記遷移で分岐することなく直線的に終了位置となる第2の前記状態まで移動する直線移動を複数実行することで前記分散環境モデルがとり得る前記状態を探索するとともに、探索した前記状態が所定のプロパティを満たすか否かを判定する分散環境モデル探索部と、
過去に探索された探索済みの前記状態を記憶する探索済み状態管理部と、
過去に実行された前記直線移動各々における前記遷移の順序を記憶する探索済み遷移履歴管理部と、
探索済みの前記状態各々に、過去の前記探索において他の前記状態に移動した時の前記遷移を対応付けて記憶する探索済み状態遷移対応情報管理部と、
前記分散環境モデル探索部が1つの前記直線移動を終了すると、当該直線移動において所定の順序で実行された複数の前記遷移に対して、依存関係、及び、happens-before関係の解析を行い、当該直線移動のパス上にバックトラックすべき地点を示すバックトラック地点を生成する分散環境モデル依存関係解析部と、
を有し、
前記分散環境モデル探索部は、1つの前記直線移動の探索を終了すると、その後、前記バックトラック地点を開始位置として、他の前記直線移動を開始する分散環境モデル用モデル検査装置。 - 請求項1に記載の分散環境モデル用モデル検査装置において、
前記分散環境モデル探索部は、N回目(Nは1以上の整数)の前記直線移動の前記探索時に探索した前記状態が前記探索済み状態管理部に記憶されているか確認し、記憶されている場合、当該状態を終了位置としてN回目の前記直線移動の前記探索を終了するとともに、前記探索済み遷移履歴管理部及び前記探索済み状態遷移対応情報管理部が記憶する情報を利用して、過去の探索においてN回目の前記直線移動の前記探索の終了位置となった前記状態以降に行われた前記遷移及びその順序を示す実行済みパスを1つ以上取得し、
前記分散環境モデル依存関係解析部は、N回目の前記直線移動の前記探索のパスと、前記分散環境モデル探索部が取得した1つ以上の前記実行済みパス各々とをこの順に結合してできる一続きのパスに含まれる所定の順序の複数の前記遷移に対して、前記依存関係、及び、前記happens-before関係の解析を行い、N回目の前記直線移動の前記探索のパス上に前記バックトラック地点を生成する分散環境モデル用モデル検査装置。 - 請求項2に記載の分散環境モデル用モデル検査装置において、
前記分散環境モデル探索部が複数の前記実行済みパスを取得した場合、
前記分散環境モデル依存関係解析部は、前記第1の直線移動のパスと、複数の前記実行済みパス各々とをこの順に結合してできる複数の前記一続きのパス各々に対して、前記依存関係、及び、前記happens-before関係の解析を行い、前記第1の直線移動のパス上に前記バックトラック地点を生成する分散環境モデル用モデル検査装置。 - 請求項1から3のいずれか1項に記載の分散環境モデル用モデル検査装置において、
前記分散環境モデル探索部は、OpenFlowネットワーク環境を表す分散環境モデルの探索を行い、
前記分散環境モデル依存関係解析部は、前記OpenFlowネットワーク環境における依存関係及びhappens-before関係の解析を行う分散環境モデル用モデル検査装置。 - 請求項1から4のいずれか1項に記載の分散環境モデル用モデル検査装置において、
前記分散環境モデル探索部は、前記プロパティを、ユーザーからの入力として受け付ける機能を備える分散環境モデル用モデル検査装置。 - 請求項5に記載の分散環境モデル用モデル検査装置において、
ユーザーに対して選択可能に前記プロパティの雛形を提供するとともに、提供した雛形の中から1つ以上を選択するユーザー入力を受け付ける検証情報雛形提供部をさらに有し、
前記分散環境モデル探索部は、前記検証情報雛形提供部が受け付けた前記雛形を一部又は全部とした前記プロパティを含む前記検証情報を取得する分散環境モデル用モデル検査装置。 - コンピュータを、
複数の状態をとることができ、各状態時に実行可能な所定の動作の実行により実現される所定の遷移で前記状態間を移動する分散環境モデルを示す情報を取得すると、第1の前記状態を開始位置とし、1つ以上の前記遷移で分岐することなく直線的に終了位置となる第2の前記状態まで移動する直線移動を複数実行することで前記分散環境モデルがとり得る前記状態を探索するとともに、探索した前記状態が所定のプロパティを満たすか否かを判定する分散環境モデル探索手段、
過去に探索された探索済みの前記状態を記憶する探索済み状態管理手段、
過去に実行された前記直線移動各々における前記遷移の順序を記憶する探索済み遷移履歴管理手段、
探索済みの前記状態各々に、過去の前記探索において他の前記状態に移動した時の前記遷移を対応付けて記憶する探索済み状態遷移対応情報管理手段、
前記分散環境モデル探索部が1つの前記直線移動を終了すると、当該直線移動において所定の順序で実行された複数の前記遷移に対して、依存関係、及び、happens-before関係の解析を行い、当該直線移動のパス上にバックトラックすべき地点を示すバックトラック地点を生成する分散環境モデル依存関係解析手段、
として機能させ、
前記分散環境モデル探索手段に、1つの前記直線移動の探索を終了すると、その後、前記バックトラック地点を開始位置として、他の前記直線移動を開始させるプログラム。 - コンピュータが、
複数の状態をとることができ、各状態時に実行可能な所定の動作の実行により実現される所定の遷移で前記状態間を移動する分散環境モデルを示す情報を取得すると、第1の前記状態を開始位置とし、1つ以上の前記遷移で分岐することなく直線的に終了位置となる第2の前記状態まで移動する直線移動を複数実行することで前記分散環境モデルがとり得る前記状態を探索するとともに、探索した前記状態が所定のプロパティを満たすか否かを判定する分散環境モデル探索工程と、
過去に探索された探索済みの前記状態を記憶部に記憶させる探索済み状態管理工程と、
過去に実行された前記直線移動各々における前記遷移の順序を記憶部に記憶させる探索済み遷移履歴管理工程と、
探索済みの前記状態各々に、過去の前記探索において他の前記状態に移動した時の前記遷移を対応付けて記憶部に記憶させる探索済み状態遷移対応情報管理工程と、
前記分散環境モデル探索工程で1つの前記直線移動を終了すると、当該直線移動において所定の順序で実行された複数の前記遷移に対して、依存関係、及び、happens-before関係の解析を行い、当該直線移動のパス上にバックトラックすべき地点を示すバックトラック地点を生成する分散環境モデル依存関係解析工程と、
を実行し、
前記分散環境モデル探索工程では、1つの前記直線移動の探索を終了すると、その後、前記バックトラック地点を開始位置として、他の前記直線移動を開始する分散環境モデル用モデル検査方法。
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US15/110,478 US9880923B2 (en) | 2014-01-17 | 2014-08-21 | Model checking device for distributed environment model, model checking method for distributed environment model, and medium |
JP2015557700A JP6332284B2 (ja) | 2014-01-17 | 2014-08-21 | 分散環境モデル用モデル検査装置、分散環境モデル用モデル検査方法及びプログラム |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2014-007068 | 2014-01-17 | ||
JP2014007068 | 2014-01-17 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2015107711A1 true WO2015107711A1 (ja) | 2015-07-23 |
Family
ID=53542625
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2014/071844 WO2015107711A1 (ja) | 2014-01-17 | 2014-08-21 | 分散環境モデル用モデル検査装置、分散環境モデル用モデル検査方法及びプログラム |
Country Status (3)
Country | Link |
---|---|
US (1) | US9880923B2 (ja) |
JP (1) | JP6332284B2 (ja) |
WO (1) | WO2015107711A1 (ja) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2018083977A1 (ja) * | 2016-11-01 | 2018-05-11 | 日本電気株式会社 | システム構築支援装置、方法およびプログラム |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10552408B2 (en) * | 2016-11-02 | 2020-02-04 | Oracle International Corporation | Automatic linearizability checking of operations on concurrent data structures |
CN112504348B (zh) * | 2020-12-11 | 2023-07-25 | 厦门汇利伟业科技有限公司 | 一种融合环境因素的物体状态显示方法和系统 |
US11635949B2 (en) * | 2021-12-17 | 2023-04-25 | Intel Corporation | Methods, systems, articles of manufacture and apparatus to identify code semantics |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20090282288A1 (en) * | 2008-05-08 | 2009-11-12 | Nec Laboratories America, Inc. | Dynamic model checking with property driven pruning to detect race conditions |
Family Cites Families (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7840946B2 (en) * | 2006-06-02 | 2010-11-23 | International Business Machines Corporation | System and method for matching a plurality of ordered sequences with applications to call stack analysis to identify known software problems |
WO2008002937A2 (en) * | 2006-06-26 | 2008-01-03 | Sourcelabs, Inc. | Efficient software diagnostics |
AU2007299571B2 (en) * | 2006-09-20 | 2013-09-12 | National Ict Australia Limited | Generating a transition system for use with model checking |
WO2008137223A1 (en) * | 2007-05-07 | 2008-11-13 | Nec Laboratories America, Inc. | Accelerating model checking via synchrony |
US9442701B1 (en) * | 2007-06-21 | 2016-09-13 | The Mathworks, Inc. | Verifying models for exceptional behavior |
US8381226B2 (en) * | 2008-02-07 | 2013-02-19 | Nec Laboratories America, Inc. | System and method for monotonic partial order reduction |
US20090276469A1 (en) * | 2008-05-01 | 2009-11-05 | International Business Machines Corporation | Method for transactional behavior extaction in distributed applications |
US8589126B2 (en) * | 2009-05-27 | 2013-11-19 | Nec Laboratories America, Inc. | System and method for model checking by interleaving stateless and state-based methods |
US8732669B2 (en) * | 2011-03-11 | 2014-05-20 | Oracle International Corporation | Efficient model checking technique for finding software defects |
US8671396B2 (en) * | 2011-05-30 | 2014-03-11 | Microsoft Corporation | Dynamic interface reduction for software model checking |
US9244510B1 (en) * | 2011-09-23 | 2016-01-26 | The Mathworks, Inc. | Bug report checks in a modeling system |
US9098620B2 (en) * | 2012-05-12 | 2015-08-04 | Palo Alto Research Center Incorporated | System and method for parallel model checking utilizing parallel structured duplicate detection |
US20150074652A1 (en) * | 2013-09-10 | 2015-03-12 | International Business Machines Corporation | Avoiding similar counter-examples in model checking |
-
2014
- 2014-08-21 WO PCT/JP2014/071844 patent/WO2015107711A1/ja active Application Filing
- 2014-08-21 US US15/110,478 patent/US9880923B2/en active Active
- 2014-08-21 JP JP2015557700A patent/JP6332284B2/ja active Active
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20090282288A1 (en) * | 2008-05-08 | 2009-11-12 | Nec Laboratories America, Inc. | Dynamic model checking with property driven pruning to detect race conditions |
Non-Patent Citations (1)
Title |
---|
YUTAKA YAKUWA ET AL.: "Model Checking of OpenFlow Network with Abstraction of Packets Based on Symbolic Execution", IEICE TECHNICAL REPORT, vol. 113, no. 140, 11 July 2013 (2013-07-11), pages 107 - 112 * |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2018083977A1 (ja) * | 2016-11-01 | 2018-05-11 | 日本電気株式会社 | システム構築支援装置、方法およびプログラム |
Also Published As
Publication number | Publication date |
---|---|
JP6332284B2 (ja) | 2018-05-30 |
JPWO2015107711A1 (ja) | 2017-03-23 |
US20160335170A1 (en) | 2016-11-17 |
US9880923B2 (en) | 2018-01-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP6332284B2 (ja) | 分散環境モデル用モデル検査装置、分散環境モデル用モデル検査方法及びプログラム | |
Cengic et al. | On formal analysis of IEC 61499 applications, Part A: Modeling | |
CN106909543A (zh) | 一种规则引擎的模式匹配方法和装置 | |
JP2010506309A (ja) | パラメータ化された並行ソフトウェアのプロシジャ間データフロー解析 | |
JPWO2015107711A6 (ja) | 分散環境モデル用モデル検査装置、分散環境モデル用モデル検査方法及びプログラム | |
CN111355696A (zh) | 一种报文识别方法、装置、dpi设备及存储介质 | |
Moon et al. | A compositional model to reason about end-to-end QoS in stochastic Reo connectors | |
CN113568604A (zh) | 风控策略的更新方法、装置及计算机可读存储介质 | |
Kuroiwa et al. | Testing environment for CPS by cooperating model checking with execution testing | |
US8219364B2 (en) | Method to improve unfolding in Petri nets | |
Norman et al. | Model checking probabilistic and stochastic extensions of the π-calculus | |
Balbo et al. | First passage time computation in tagged GSPNs with queue places | |
JP6428768B2 (ja) | モデル検査装置、方法及びプログラムを記憶した記憶媒体 | |
Liu et al. | Complexity of the soundness problem of bounded workflow nets | |
Anseeuw et al. | Design Time Validation for the Correct Execution of BPMN Collaborations. | |
CN113987107A (zh) | 基于行为树的对话方法、装置及电子设备、存储介质 | |
Oliveira et al. | IMCReo: interactive Markov chains for stochastic Reo | |
JP6263487B2 (ja) | プロセス抽出装置、プロセス抽出方法、及びプログラム | |
Spegni et al. | ChoEn: A smart contract based choreography enforcer | |
Daszczuk | Critical trees: counterexamples in model checking of CSM systems using CBS algorithm | |
Savickas et al. | Business process event log use for activity sequence analysis | |
Kaliappan et al. | An approach to synchronize UML-based design components for model-driven protocol development | |
Cushing et al. | Automata-based dynamic data processing for clouds | |
WO2016079962A1 (ja) | モデル検査装置、モデル検査方法、および、記憶媒体 | |
JP2016015672A (ja) | ネットワーク制御装置、及びネットワーク設定システム |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 14878524 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2015557700 Country of ref document: JP Kind code of ref document: A |
|
WWE | Wipo information: entry into national phase |
Ref document number: 15110478 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 14878524 Country of ref document: EP Kind code of ref document: A1 |