WO2016151710A1 - Dispositif et procédé de configuration de spécification - Google Patents

Dispositif et procédé de configuration de spécification Download PDF

Info

Publication number
WO2016151710A1
WO2016151710A1 PCT/JP2015/058610 JP2015058610W WO2016151710A1 WO 2016151710 A1 WO2016151710 A1 WO 2016151710A1 JP 2015058610 W JP2015058610 W JP 2015058610W WO 2016151710 A1 WO2016151710 A1 WO 2016151710A1
Authority
WO
WIPO (PCT)
Prior art keywords
model
transition
data
event
state
Prior art date
Application number
PCT/JP2015/058610
Other languages
English (en)
Japanese (ja)
Inventor
啓伸 來間
宮崎 邦彦
伊藤 信治
佐藤 直人
Original Assignee
株式会社日立製作所
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 株式会社日立製作所 filed Critical 株式会社日立製作所
Priority to PCT/JP2015/058610 priority Critical patent/WO2016151710A1/fr
Priority to JP2017507175A priority patent/JP6169302B2/ja
Publication of WO2016151710A1 publication Critical patent/WO2016151710A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software

Definitions

  • the present invention relates to an apparatus and method for verifying a system specification in an initial process of system design and supporting the configuration.
  • the specification generally includes a description regarding data handled by the system, a description regarding processing executed by the system, and a description regarding dynamic behavior of the system.
  • a use case is used for a description relating to processing
  • a processing flow diagram is used for a description relating to behavior, while a description relating to data is often abstracted and embedded in a use case.
  • Patent Document 1 specifications are described in four tables, a state transition table, an action table, a condition determination table, and a constraint condition table, and then combined to form a formal model. A method for verifying sex is disclosed.
  • the state transition table includes a state, an event, and a transition, a guard condition in which the transition occurs, and an action associated with the transition.
  • the action table is composed of pre-conditions for causing an action, post-conditions to be established after the action, and processing contents representing element value update by the action.
  • the condition determination table expresses a determination condition as to whether or not an action and a transition can be executed, and includes a guard condition and a precondition.
  • the constraint table describes element values for each state.
  • the device of Patent Document 1 generates one formal model from the described specifications. This model is input to the model checker, and the consistency is verified using the model checker, thereby mechanically detecting the inconsistency of the described specification.
  • Model checking is an exhaustive check for all combinations of state transitions, so it is an effective verification method for system specification verification that includes parallel operations. ineffective.
  • the specification component device to be disclosed is a transition model input unit that inputs a transition model in which the dynamic behavior of the system is described by a combination of the system state and the state transition by the event, and the data value update accompanying the transition by the event is described
  • a processing model input unit that inputs a processed model
  • a verification condition input unit that inputs a verification condition in which a condition of a data value that the system should satisfy is associated with a state
  • a transition model and a processing model are associated with a common event
  • a model combining unit that generates a combined model obtained by combining the transition model and the processing model, and a data flow analyzing unit that performs data flow analysis on the combined model and verifies that the verification condition is satisfied for the state
  • the disclosed specification component device it is possible to efficiently verify the specification described by a person in the initial process of system design.
  • the user inputs the transition model, processing model, and verification condition, and verifies that there is no inconsistency between the transition model and the processing model and that the verification condition that is input separately is satisfied using the specification component device.
  • the transition model includes parallel operations related to a plurality of state transition sequences
  • the deadlock inspection model generated by the specification component device indicates that a deadlock in which the state transition does not proceed does not occur depending on the execution order of each state transition sequence. inspect.
  • FIG. 1 is a flowchart showing a specification configuration method in the specification configuration apparatus.
  • the user inputs a transition model (step 1), a processing model (step 2), and a verification condition (step 3) into the specification component device. These inputs may be performed in any order.
  • the verification condition may be input after the next step 4.
  • the specification component device collates the input transition model with the processing model, and generates a model in which both are combined (step 4).
  • the specification configuration apparatus analyzes the data flow of the combined model, can execute the processing of the processing model in the order of the transition model, and further verifies that the verification condition is satisfied (step 5).
  • the specification configuration apparatus determines that the verification condition is satisfied (step 6), and if the verification condition is not satisfied, the process proceeds to inconsistent location output (step 7). If the verification condition is satisfied, the specification configuration apparatus determines whether or not there is a parallel operation (step 8). If there is no parallel operation, the input model is consistent, and the specification configuration apparatus ends the process.
  • the specification component device If the model includes parallel operation, the specification component device generates a deadlock inspection model for inspecting the presence or absence of deadlock (step 9).
  • the specification component device uses a general model checker such as the SPIN model (Mordechai Ben-Ari, translated by Junichi Nakajima, Koichi Tsutani, Satoshi Nonaka, Taro Adachi: Introduction to SPIN Model Checking, Ohm Co., 2010)
  • the presence or absence of deadlock is inspected (step 10).
  • the specification configuration apparatus determines whether or not there is a deadlock (step 11), and if there is a deadlock, executes the inconsistent location output (step 7). If there is no deadlock, the specification component apparatus determines that the input model is consistent and ends the process.
  • FIG. 2 is a diagram showing the configuration of the specification configuration apparatus, which has components corresponding to the steps in FIG.
  • the specification component device 21 outputs the verification result 27 and the deadlock inspection model 210.
  • the transition model input unit 22 inputs a transition model from the user.
  • FIG. 2 illustrates a mode in which the user operates the specification configuration device 21 and inputs a transition model
  • the present invention is not limited to this mode, and a mode in which a transition model described in advance by the user is input through a file or the like. But it ’s okay.
  • a transition model is input, a form that supports user input with reference to a processing model and verification conditions may be used. The same applies to the processing model input unit 23 and the verification condition input unit 24.
  • the processing model input unit 23 inputs a processing model from the user.
  • the verification condition input unit 24 inputs verification conditions from the user.
  • the model combining unit 25 generates a model that combines the input transition model and the processing model.
  • the data flow analysis unit 26 analyzes the data flow for the model generated by the model combining unit 25, can execute the processing model processing in the order of the transition model, and further verifies that the verification condition is satisfied. To do.
  • the specification component device 21 outputs a verification result 27 by the data flow analysis unit 26.
  • the deadlock check model generation unit 28 converts a model into a format that can be processed by the model checker for performing a deadlock check using a general model checker.
  • the input of the deadlock inspection is not necessarily a verified model, and may be generated again from the transition model and the processing model.
  • the specification component device 21 outputs the deadlock inspection model 29 generated by the deadlock inspection model generation unit 28.
  • the user inputs the deadlock check model 29 to the model checker 210 and obtains the deadlock check result 211.
  • FIG. 3 is a diagram showing a description example of the transition model input by the user.
  • the transition model describes the flow of processing in a format that conforms to the processing flow used in the upstream process.
  • SI represents a start state 31 and SE represents an end state 32.
  • the flow of processing starts from the start state 31 and ends when the end state 32 is reached through a series of processes.
  • Squares 32 to 36 indicate processing, and are called events here.
  • An arrow represents a process to be executed next, and is referred to as a transition here.
  • the circle connecting the arrows is called a state here.
  • the processing flow represented by the transition model in FIG. 3 is as follows. The process starts from the start state 31, and after the processing of either the acceptance category determination new 32 or the acceptance category determination renewal 33 is executed, the contract creation 34 is executed. Thereafter, the contractor information registration 36 is executed to reach an end state 37, or the application category change 35 returns to either the acceptance category determination new 32 or the acceptance category determination renewal 33 again.
  • a transition model can describe multiple such processing flows. That is, there can be a plurality of series of processes from the start state to the end state that do not intersect with each other. In that case, it is considered that those processing flows operate in parallel.
  • the processing flow is considered to be synchronized through the common event.
  • the specification component device 21 checks in step 10 in FIG. 1 that no deadlock occurs when the transition model includes parallel operations.
  • the description format of the transition model is not limited to the diagram format as shown in FIG. 3, and may be a text format or a table format as long as it can describe transitions by states and events.
  • FIG. 4 is a diagram showing a description example of the processing model input by the user.
  • the processing model describes the data value condition for executing the process and the data value after the process in a format that conforms to the prior ex post description of the use case diagram used in the upstream process. Similar to the transition model, the process described in the process model is referred to as an event here. The event of the transition model and the event of the processing model must match, and the specification component device 21 checks when combining the models in step 4 of FIG.
  • the processing of the acceptance category determination new 41 indicates that the value of the data acceptance category becomes new when the value of the data application category is new.
  • the description of the data value that is the premise of the processing is a condition part, processing The description of the data value set by is called a consequence.
  • values are set for two data in the consequent section. This represents that the value of the data acceptance category is updated and the value of the data contract is confirmed.
  • the process of contract creation 43a, 43b is an example in which one process is divided into a plurality of items.
  • the contract creation 43a indicates that the value of the contract is confirmed when the value of the data reception category is new, and the contract creation 43b indicates that nothing is performed when the value of the data reception category is renewal.
  • the processing model of FIG. 4 further describes the processing of acceptance category changes 44a and 44b and the processing of contractor information registration 45.
  • condition part There may be a plurality of items described in the processing condition part, or zero. If the condition part is described as zero, it is considered that the condition always holds. In addition, when there are a plurality of description of the condition part, it is a premise of the processing that all these conditions are satisfied. A logical expression related to the data value may be described in the condition part.
  • the result section may include a plurality of items or zero. If there are a plurality of values, the values are set at the same time. If the number is zero, nothing is done as in the example of the contract creation 43b.
  • the description format of the processing model is not limited to the table format as shown in FIG. 4, and any text format or data format can be used as long as the data value condition for the event to occur and the data value condition after the event can be described. It may be in diagram form.
  • FIG. 5 is a diagram illustrating a description example of the verification condition input by the user.
  • the verification condition is associated with the state of the transition model in FIG. 3 and lists data values expected when the process has progressed to that state.
  • FIG. 5 requests that the value of the data contractor information be finalized (51) when the processing represented by the transition model in FIG. 3 has advanced to the end state, that is, when a series of processing has been completed. Similarly, when the process represented by the transition model in FIG. 3 proceeds to the end state, the application category value is new and the acceptance category value is new, or the application category value is updated and the acceptance category value is updated. (52) requesting that Like the latter, a logical expression may be described in the verification condition.
  • the description format of the verification condition is not limited to the diagram format as shown in FIG. 5, but may be a text format or a table format as long as it can describe an expected data value in association with the state.
  • FIG. 6 is a flow diagram of the model combining unit 25 (a flow diagram illustrating a procedure for combining the transition model and the processing model in Step 4 of FIG. 1). By this procedure, the input transition model and the processing model are collated and combined into one model.
  • the model combining unit 25 extracts an event from the transition model (step 61), and extracts an event from the processing model (step 62). The model combining unit 25 determines whether or not these events match (step 63), and if they do not match, outputs that they do not match (step 67) and ends.
  • the model combining unit 25 extracts a state from the transition model (step 64), and constructs a directed graph having the state as a node and the event as an edge (step 65). ). The model combining unit 25 adds nodes corresponding to the start state and the end state to the configured directed graph and connects them with edges (step 66).
  • a transition model configured by combining the transition model and the processing model in this way is referred to as a combined model here. Since a transition model can generally include a plurality of processing flows, a single coupled model can have a plurality of directed graphs.
  • FIG. 7 is a diagram showing an example of a combined model. This example corresponds to the transition model of FIG. 3 and the processing model of FIG. 4, and the combined model is composed of one directed graph.
  • a circle represents a directed graph node, and an arrow represents an edge.
  • the label (name) of the edge is an event name.
  • FIG. 8 is a flow diagram of the data flow analysis unit 26 (a flow diagram showing the data flow analysis procedure of step 5 in FIG. 1).
  • the data flow analysis unit 26 adds data and a change in its value on the directed graph obtained by combining the transition model and the processing model.
  • the data flow analysis unit 26 provides a method for processing them.
  • a directed graph generally includes branching, merging, and repetition, so a method for preventing repeated processing of a set of processed data values is also provided.
  • the data flow analysis unit 26 allocates a storage area D for storing a plurality of sets of data values to all the nodes of the directed graph (step 81).
  • the assigned initial value of D is empty.
  • the data flow analysis unit 26 stores the set of initial data values in the storage area D of the node corresponding to the start state (step 82).
  • the data flow analysis unit 26 analyzes changes in data values when processing of the processing model is executed in the order of the transition model.
  • the data flow analysis unit 26 executes this analysis by calling the procedure 1 (step 83).
  • step 83 since a set of data values is added to each node, the data flow analysis unit 26 verifies that these satisfy the verification condition. For this verification, the data flow analysis unit 26 obtains a set of all data values in the storage area D specified in the verification condition (step 84), and determines whether it satisfies the verification condition (step 85). ).
  • the data flow analysis unit 26 outputs a failure (step 86) and ends. If the verification condition is satisfied, the data flow analysis unit 26 ends, assuming that the transition model matches the processing model.
  • FIG. 9 is a flowchart showing the procedure of the procedure 1 of the data flow analysis unit 26.
  • the procedure 1 calls the procedure 2 for executing the data flow analysis for all initial data sets (step 91).
  • Procedure 1 sets node n to be processed by procedure 2 and data value set d to be processed to the initial data set. Specifically, n is set as a start node (step 92), d is set as a set of initial data (step 93), and procedure 2 is called (step 94).
  • FIG. 10 is a flowchart showing the procedure of the procedure 2 of the data flow analysis 26.
  • a data value set in a destination node that is transitioned by an event is calculated for all events that can occur in n.
  • procedure 2 obtains an outward edge from node n (step 101). If there is an outward edge (step 102), all the outward edges from n are sequentially executed (step 103), and the procedure 3 is called with the edge to be processed as e (step 104) (step 105).
  • step 102 when there is no outward edge from n, it means that there is no transition destination from n, so procedure 2 determines whether n is in an end state (step 106), and the end state If it is, the process is terminated, and if it is not the termination state, it is output that the transition model is inconsistent (step 107).
  • FIG. 11 is a flowchart showing the procedure of the procedure 3 of the data flow analysis 26.
  • the procedure 3 refers to the processing model for a given edge e and data value set d, selects e that can occur under d, and calculates the data value after the transition.
  • Procedure 3 calculates a set of data values for all these transition destinations.
  • procedure 3 selects an item whose condition part of the item of the processing model matches d from the event corresponding to e (step 111). If such items exist (step 112), procedure 3 calls procedure 4 for all of those items (step 113) (step 114).
  • FIG. 12 is a flowchart showing the procedure of the procedure 4 of the data flow analysis unit 26.
  • the procedure 4 calculates a pair of data values of the transition destination from the given data value pair d, the node n, and the edge e, adds the data value pair to the storage area D of the transition destination node, and advances the node to the transition destination node.
  • the procedure 2 of the data flow analysis unit 26 is recursively called.
  • the procedure 4 calculates a data value set dn + 1 of the transition destination from the result part of the item of the processing model selected in the procedure 3 and d (step 121).
  • the procedure 4 follows the edge e to obtain the transition destination node n + 1 (step 122), and obtains a data value storage area Dn + 1 associated with the node n + 1 (step 123).
  • Procedure 4 determines whether a data value set dn + 1 exists in Dn + 1 (step 124). If not, dn + 1 is added to Dn + 1, and an edge is moved from dn to dn + 1. (Step 125). Since one of the processes related to the change of the data value set dn by the edge e is completed from the node n, the node is advanced by one, and the procedure 2 is called with n + 1 as n and d + 1 as d (step 126).
  • dn + 1 exists in Dn + 1 at step 124, it means that the analysis on the data value set dn + 1 has already been completed at node n + 1. An edge from to dn + 1 is stretched (step 127), and the process ends.
  • procedure 4 in order to record how the set of data values has changed, in step 125 and step 127, procedure 4 has an edge from dn to dn + 1.
  • a directed graph with a set of data values as a node and an event as an edge is formed separately from the directed graph with a state as a node and an event as an edge.
  • this is referred to as a data transition graph.
  • a data transition graph facilitates tracking changes in a set of data values and improves verification efficiency during deadlock verification.
  • FIG. 13 is a diagram illustrating an example of a set of data values generated by the data flow analysis unit 26. This figure corresponds to the example of the transition model of FIG. 3 and the processing model of FIG.
  • the balloon in FIG. 13 represents the storage area D associated with each node.
  • a set of codes surrounded by ⁇ and> in D represents a set of data values in that state, and in the figure, the order is ⁇ application category, acceptance category, contract, contractor information>. -Indicates that the value has not been determined.
  • the balloon 131 indicates that two initial data sets ⁇ new,-,-,-> and ⁇ update,-,-,-> exist in the start state. This is because there are a set of data values whose data values are not determined except that the application category is new in the starting state, and a set of data values whose data values are not determined except that the application category is update. Represents what to do.
  • the balloon 132 indicates a set of data values in the next state after the start state. In addition to the data value pairs from the starting state, there are four data value pairs because there are data value pairs returned by the event application category change.
  • a balloon 135 is a set of data values after event contractor information registration, and a balloon 136 is a set of data values in the end state.
  • the contractor information is confirmed in the final state (51), the application category is new and the reception category is new, or the application category is renewal and the reception category is renewal (52) is requested, and it can be easily verified that the balloon 136 satisfies this condition.
  • This verification is performed at step 84 and step 85 in FIG.
  • FIG. 14 is a diagram illustrating an example of a data transition graph generated by the data flow analysis unit 26.
  • a set of two initial data values of the balloon 131 in FIG. 13 corresponds to the node 141 and the node 142 in FIG.
  • balloon 132 corresponds to node 143 to node 146
  • balloon 133 corresponds to node 147 to node 149
  • balloon 134 corresponds to node 1410 to node 1411
  • balloon 135 corresponds to node 1412 to node 1413
  • balloon 136 corresponds to node 1414 to node 1415.
  • FIG. 14 shows the result of extending the edge from dn to dn + 1 in step 125 and step 127 of FIG.
  • a data transition graph is constructed in which a set of data values is a node and an event is an edge.
  • the data transition graph records how the set of data values has changed, and is stored in the memory of the specification component device 21 for use by the deadlock check model generation unit 28.
  • FIG. 15 is a flowchart of the deadlock inspection model generation unit 28 (a flow diagram showing a procedure for generating a deadlock inspection model in step 9 of FIG. 1).
  • the transition model includes parallel operations, that is, when there are a plurality of independent processing flows in the transition model
  • the specification configuration device 21 uses the model checker 210 to check whether there is a deadlock between them. To do.
  • FIG. 15 shows a procedure for generating a deadlock check model 29 that is input to the model checker 210.
  • the deadlock checking model 29 includes a description of a process corresponding to a combined model generated from each processing flow, a description of a cooperative process that synchronizes between them, and a description of shared information between processes. Therefore, the deadlock check model generation unit 28 calls the procedure A to generate inter-process shared information (step 151), and then calls the procedure B to generate a linked process description (step 152). Thereafter, for all connection models (step 153), the procedure C is called to generate a process description (step 154).
  • FIG. 16 is a flowchart showing the procedure of the procedure A of the deadlock inspection model generation unit 28.
  • the procedure A generates a description of an event passing channel and a state variable shared between processes. Therefore, the procedure A generates a channel for passing the event (step 162) and a state variable (step 163) for all connection models (step 161).
  • the data node of the data transition graph is numbered and set as the value of the state variable (step 164).
  • FIG. 17 is a flowchart showing the procedure B of the deadlock checking model generation unit 28.
  • the procedure B generates a description of the cooperation process.
  • the cooperation process generates an event that can occur under the information of the data transition graph of each connection model, and transmits the event to the process generated from each connection model through the channel.
  • Procedure B generates a process framework (step 171), and executes steps 173 to 174 for all events e (step 172). That is, for all the data transition graphs, a data node having e as an outward edge is extracted (step 173), and when the value of the state variable is the extracted data node in all coupled models related to e, the event e is A sentence to be generated is generated (step 174). A statement for transmitting the generated event to each process through the channel is generated (step 175).
  • FIG. 18 is a flowchart showing the procedure C of the deadlock inspection model generation unit 28.
  • Procedure C generates a process description for each combined model that operates in parallel.
  • Procedure C generates a statement for receiving an event through the channel (step 181).
  • the procedure C generates a statement that assigns the start data node of the data transition model to the state variable corresponding to the initial state (step 182), and the value of the state variable corresponding to the end state ends the data transition model
  • a sentence that is a data node is generated (step 183).
  • there are a plurality of initial values there are a plurality of start data nodes of the data transition model.
  • a dummy start node that transitions to these start data nodes is set to 1 Set one.
  • Procedure C calls procedure D for all data nodes except the start data node and the end data node in order to generate a description relating to the data node in the middle between the initial state and the end state (step 184).
  • FIG. 19 is a flowchart showing the procedure D of the deadlock inspection model generation unit 28.
  • Procedure D describes a transition due to an event based on the data transition graph.
  • Procedure D extracts outward edges and transition destination nodes from the data nodes of the data transition graph (step 191).
  • the procedure D generates a statement for replacing the state variable with the transition destination node when the value of the state variable is a data node having an outward edge and the event is an outward edge (step 192).
  • the procedure D assigns a name to the data node of the data transition graph and sets it as the value of the state variable (step 193).
  • FIG. 20 is a diagram illustrating an example of the deadlock inspection model 29 generated by the deadlock inspection model generation unit 28.
  • the deadlock inspection model 201 is output in such a text format, for example.
  • the deadlock checking model 201 includes a description (202) of information shared between processes, a description (203) of a cooperation process, and a description (204a, 204b) of a process corresponding to each combined model.
  • the description (202) of information shared between processes is generated by the procedure A (FIG. 16) of the deadlock check model generation unit 28.
  • channels cA and cB and state variables stateA and stateB are created for combined models A and B.
  • the description (203) of the cooperation process is generated by the procedure B (FIG. 17) of the deadlock inspection model generation unit 28.
  • the shared event e1 is transmitted through the channel.
  • event e2 is transmitted through the channel regardless of B.
  • e2 is an event related to the transition of A, not a shared event.
  • the process descriptions (204a, 204b) are generated by the procedure C (FIG. 18) and the procedure D (FIG. 19) of the deadlock check model generation unit 28.
  • Each process first sets a state variable to an initial state. Thereafter, an event is received through the channel, a transition destination state is determined from the value of the current state variable and the received event, and is assigned to the state variable.
  • a deadlock occurs when a process waits for the occurrence of a shared event, while the corresponding process waits for the occurrence of another shared event, or when the event has ended.
  • the deadlock checking model 29 configured in this way is input to the model checker 210, and the presence or absence of deadlock is checked.
  • upstream designers can write specifications in a way that corresponds to the processing flow and use cases, and verify the consistency between them, so in the fields of embedded systems and business systems, the upstream design of complex systems Can be performed with high reliability and efficiency.
  • 21 Specification component device
  • 22 Transition model input unit
  • 23 Processing model input unit
  • 24 Verification condition input unit
  • 25 Model combination unit
  • 26 Data flow analysis unit
  • 27 Verification result
  • 28 Deadlock check Model generation unit
  • 29 deadlock inspection model
  • 210 model checker, 211 verification result.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)
  • Stored Programmes (AREA)

Abstract

L'invention concerne un dispositif de configuration de spécification comprenant : une unité d'entrée de modèle de transition qui reçoit un modèle de transition décrivant des comportements dynamiques d'un système en fonction de combinaisons d'états de système et de transitions d'états causés par des événements ; une unité d'entrée de modèle de traitement qui reçoit un modèle de traitement décrivant des mises à jour de valeurs de données en raison de transitions causées par des événements ; une unité d'entrée de conditions de vérification qui reçoit des conditions de vérification décrivant des conditions de valeur de données devant être satisfaites par le système quand le système se trouve dans différents états ; une unité de combinaison de modèles qui associe le modèle de transition au modèle de traitement en fonction d'événements en cours et permet ainsi de combiner lesdits modèles selon un modèle combiné ; et une unité d'analyse de flux de données qui exécute une analyse de flux de données sur le modèle combiné afin de vérifier si le système satisfait des conditions de vérification définies pour différents états.
PCT/JP2015/058610 2015-03-20 2015-03-20 Dispositif et procédé de configuration de spécification WO2016151710A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/JP2015/058610 WO2016151710A1 (fr) 2015-03-20 2015-03-20 Dispositif et procédé de configuration de spécification
JP2017507175A JP6169302B2 (ja) 2015-03-20 2015-03-20 仕様構成装置および方法

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2015/058610 WO2016151710A1 (fr) 2015-03-20 2015-03-20 Dispositif et procédé de configuration de spécification

Publications (1)

Publication Number Publication Date
WO2016151710A1 true WO2016151710A1 (fr) 2016-09-29

Family

ID=56977052

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2015/058610 WO2016151710A1 (fr) 2015-03-20 2015-03-20 Dispositif et procédé de configuration de spécification

Country Status (2)

Country Link
JP (1) JP6169302B2 (fr)
WO (1) WO2016151710A1 (fr)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019188179A1 (fr) * 2018-03-30 2019-10-03 株式会社デンソー Procédé et dispositif d'évitement de blocage
WO2019188175A1 (fr) * 2018-03-30 2019-10-03 株式会社デンソー Procédé pour éviter un blocage et dispositif pour éviter un blocage
JP7490656B2 (ja) 2018-12-20 2024-05-27 コミッサリア ア レネルジー アトミーク エ オ ゼネルジ ザルタナテイヴ 通信を形式的に監視するためのシステム

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH07283847A (ja) * 1994-04-13 1995-10-27 Hitachi Ltd 通信ソフトウェア検証装置
JP2013057985A (ja) * 2009-12-09 2013-03-28 Hitachi Ltd システムの設計支援装置および方法
JP2013200787A (ja) * 2012-03-26 2013-10-03 Fukuoka Pref Gov Sangyo Kagaku Gijutsu Shinko Zaidan モデル検査装置、モデル検査処理方法及びプログラム

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH07283847A (ja) * 1994-04-13 1995-10-27 Hitachi Ltd 通信ソフトウェア検証装置
JP2013057985A (ja) * 2009-12-09 2013-03-28 Hitachi Ltd システムの設計支援装置および方法
JP2013200787A (ja) * 2012-03-26 2013-10-03 Fukuoka Pref Gov Sangyo Kagaku Gijutsu Shinko Zaidan モデル検査装置、モデル検査処理方法及びプログラム

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
TOSHIAKI AOKI ET AL.: "Formalizaiton and Analysis of Dataflow in Object-Oriented Analysis Models", COMPUTER SOFTWARE, vol. 21, no. 4, 16 May 2009 (2009-05-16), pages 235 - 260, XP010801238 *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019188179A1 (fr) * 2018-03-30 2019-10-03 株式会社デンソー Procédé et dispositif d'évitement de blocage
WO2019188175A1 (fr) * 2018-03-30 2019-10-03 株式会社デンソー Procédé pour éviter un blocage et dispositif pour éviter un blocage
JP2019179416A (ja) * 2018-03-30 2019-10-17 株式会社デンソー デッドロック回避方法、デッドロック回避装置
JP2019179412A (ja) * 2018-03-30 2019-10-17 株式会社デンソー デッドロック回避方法、デッドロック回避装置
JP7039365B2 (ja) 2018-03-30 2022-03-22 株式会社デンソー デッドロック回避方法、デッドロック回避装置
JP7064367B2 (ja) 2018-03-30 2022-05-10 株式会社デンソー デッドロック回避方法、デッドロック回避装置
JP7490656B2 (ja) 2018-12-20 2024-05-27 コミッサリア ア レネルジー アトミーク エ オ ゼネルジ ザルタナテイヴ 通信を形式的に監視するためのシステム

Also Published As

Publication number Publication date
JPWO2016151710A1 (ja) 2017-05-25
JP6169302B2 (ja) 2017-07-26

Similar Documents

Publication Publication Date Title
JP5412510B2 (ja) 1個のソフトウェアの少なくとも一部を検証するためにテストケースを自動的に形成する方法
JP5295269B2 (ja) コンポーネント・モデル基盤の仮想ソフトウェア・プラットホームを生成する方法、これを利用してソフトウェア・プラットホーム・アーキテクチャを検証する方法及びその装置
US9965252B2 (en) Method and system for generating stateflow models from software requirements
JP6169302B2 (ja) 仕様構成装置および方法
JP2019029015A (ja) インタラクティブなソフトウェアプログラムの修復
KR102013657B1 (ko) 연관된 다중 파일 정적 분석 장치
Tierno et al. Open issues for the automotive software testing
US8595559B2 (en) Method and apparatus for model-based testing of a graphical user interface
McCaffrey The verification of a distributed system
US11520966B2 (en) Automated assisted circuit validation
US10915427B2 (en) Equivalence verification apparatus and computer readable medium
EP3608786B1 (fr) Systèmes et procédés d'enchaînement des exigences et applications associées
JP2016031622A (ja) ソフトウェア検証システムおよび制御装置
CN110795142B (zh) 一种配置文件的生成方法及装置
JP6369269B2 (ja) 検証支援装置、検証支援方法およびコンピュータプログラム
JP6006577B2 (ja) デグレードテスト支援システム、デグレードテスト支援方法及びデグレードテスト支援プログラム
EP3574406B1 (fr) Procédé et système de test automatisé de code de programme d'ordinateur
US20240241816A1 (en) Automated test generation
Saifan et al. Using formal methods for test case generation according to transition-based coverage criteria
JP2013206310A (ja) モデル検査装置、モデル検査方法、およびプログラム
CN109800155B (zh) 一种基于Probe的QTE联锁应用软件测试方法及装置
CN114238117A (zh) 一种基于因果图的软件功能测试方法、装置及存储介质
CN106547696A (zh) 一种面向工作流系统的测试用例生成方法及装置
CN117539764A (zh) 片上系统的验证方法、装置、存储介质及电子设备
CN106815035B (zh) 检查计算机系统的方法

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15886267

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2017507175

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15886267

Country of ref document: EP

Kind code of ref document: A1