The present invention relates to a technique for verifying the equivalence of functions.
With software multifunctionalization and computerization, software has been steadily increasing in complexity and scale. Under the circumstances, it is necessary to achieve increase in the productivity of software development.
For example, a software development tool which implements quality maintenance and reduction in development man-hours is applied to software differential and derivative development.
There is available an approach called refactoring in software differential and derivative development. Refactoring is an approach for improving the quality of software by changing the internal configuration of the software without changing the substance of logical operations in the software.
Refactoring involves a change of source code. Thus, a change of source code may cause a bug, and the substance of logical operations may be unintentionally changed.
For this reason, verification of software before change and software after change is required for software differential and derivative development.
Non-Patent Literature 1 discloses an approach regarding equivalence verification for source code which is generated using legacy code and Simulink.
The term “equivalent” means that two pieces of source code coincide in the substance of logical operations, that is, that the same output values are obtained for the same input value.
The term “equivalence verification” means verifying whether two pieces of source code are equivalent.
In Non-Patent Literature 1, a call graph is generated for each of two pieces of source code in order to represent a call relationship among functions included in the piece of source code. The call graphs are used to associate functions coincident in function name and call relationship with each other and perform equivalence verification on a function-by-function basis.
Equivalence verification is performed in order from a function at an extremity. The requirement for equivalence is that the same output values are obtained from two pieces of source code if the two pieces of source code are executed with the same input value. The equivalence verification exhaustively analyzes, for every input value, whether two pieces of source code are coincident in an output value for the input value and judges equivalence on a function-by-function basis.
In Patent Literature 1, a tag representing behavior is embedded in a block as a branch destination for a branching statement in source code. Behavior as a verification object is designated, and a value range for a variable (or an expression) for passage through a block to be verified is specified on the basis of a tag embedded in the block and the designated behavior. Only source code related to the specific behavior can be verified by setting the specified value range as a verification range.
Patent Literature 1: JP 2010-204954
Non-Patent Literature 1: Rupak Majumdar, “Compositional Equivalence Checking for Models and Code of Control Systems”, 52nd IEEE Conference on Decision and Control, December 2013.
Non-Patent Literature 1 requires that output values for an input value coincide in the case of every input value. For this reason, even if the degree of equivalence between functions varies depending on paths to pass through in the functions, the functions are judged as inequivalent. Thus, a range for analysis of the reason why the functions are judged as inequivalent is wide, and the time required for manual bug analysis cannot be reduced.
For example, the equivalence between a function AX and a function Ay is judged. If a specific condition is satisfied, a function BX is called in the function AX, and a function BY equivalent to the function BX is called in the function AY. Thus, the function AX and the function AY are equivalent if the specific condition is satisfied. If the specific condition is not satisfied, a function CX is called in the function AX, and the function BY not equivalent to the function CX is called in the function AY. Thus, the function AX and the function AY are equivalent if the specific condition is not satisfied.
In Non-Patent Literature 1, functions are judged as inequivalent if the functions are equivalent in a state where a specific condition is satisfied and are not equivalent in a state where the specific condition is not satisfied. Thus, the function AX and the function AY are judged as inequivalent.
According to Patent Literature 1, if there are a large number of variables or an expression is complicated, a value range for passage through a specific block may not be uniquely determined. For this reason, the range of application of Patent Literature 1 is limited.
The present invention has as its object to allow judgment as to whether functions are partially equivalent to each other.
An equivalence verification apparatus according to the present invention includes:
an equivalence verification unit to judge through equivalence verification, for each of corresponding combinations which are each a combination of a function included in pre-change source code and a function included in post-change source code, whether the functions included in the corresponding combination are equivalent to each other;
a partial verification judgment unit to judge, for each of inequivalent ones of the corresponding combinations, whether the corresponding combination is a partial verification combination including a function where an inequivalent path, in which an inequivalent function is called, and a non-inequivalent path, in which a non-inequivalent function is called, are both included; and
a partial verification unit to judge, for each of the partial verification combinations, whether the functions included in the partial verification combination are partially equivalent to each other by excluding the inequivalent path and performing the equivalence verification.
According to the present invention, it is possible to judge whether functions are partially equivalent to each other.
Throughout the embodiments and drawings, the same elements and corresponding elements are denoted by the same reference numerals. A description of an element denoted by the same reference numeral will be appropriately omitted or simplified. An arrow in the drawings mainly indicates the flow of data or the flow of processing.
A form for judging whether functions are partially equivalent to each other will be described with reference to
A configuration of an equivalence verification apparatus 100 will be described with reference to
The equivalence verification apparatus 100 is a computer which includes pieces of hardware, such as a processor 901, a memory 902, an auxiliary storage device 903, and an input/output interface 904. The pieces of hardware are connected to one another via signal lines.
The processor 901 is an integrated circuit (IC) which performs arithmetic processing and controls the other pieces of hardware. For example, the processor 901 is a central processing unit (CPU), a digital signal processor (DSP), or a graphics processing unit (GPU).
The memory 902 is a volatile storage device. The memory 902 is called a main storage device or a main memory. For example, the memory 902 is a random access memory (RAM). Data stored in the memory 902 is saved in the auxiliary storage device 903 as needed.
The auxiliary storage device 903 is a non-volatile storage device. For example, the auxiliary storage device 903 is a read only memory (ROM), an hard disk drive (HDD), or a flash memory. Data stored in the auxiliary storage device 903 is loaded into the memory 902 as needed.
The input/output interface 904 is a port, to which an input device and an output device are connected. For example, the input/output interface 904 is a USB terminal, input devices are a keyboard and a mouse, and an output device is a display. USB stands for Universal Serial Bus.
The equivalence verification apparatus 100 includes software elements, such as a call graph generation unit 110, a control unit 120, an equivalence verification unit 130, an identifier setting unit 140, a partial verification judgment unit 150, and a partial verification unit 160. A software element is an element which is implemented by software.
An equivalence verification program for causing a computer to function as the call graph generation unit 110, the control unit 120, the equivalence verification unit 130, the identifier setting unit 140, the partial verification judgment unit 150, and the partial verification unit 160 is stored in the auxiliary storage device 903. The equivalence verification program is loaded into the memory 902 and is executed by the processor 901.
Additionally, an operating system (OS) is stored in the auxiliary storage device 903. At least a part of the OS is loaded into the memory 902 and is executed by the processor 901.
That is, the processor 901 executes the equivalence verification program while executing the OS.
Data which is obtained through execution of the equivalence verification program is stored in a storage device, such as the memory 902, the auxiliary storage device 903, a register in the processor 901, or a cache memory in the processor 901.
The memory 902 functions as a storage unit 191 which stores data. Note that any other storage device may function as the storage unit 191 instead of or together with the memory 902.
The input/output interface 904 functions as an acceptance unit 192 which accepts input. The input/output interface 904 also functions as a display unit 193 which displays an image and the like.
The equivalence verification apparatus 100 may include a plurality of processors which replace the processor 901. The plurality of processors share roles of the processor 901.
The equivalence verification program can be computer-readably stored in a non-volatile storage medium, such as a magnetic disc, an optical disc, or a flash memory. The non-volatile storage medium is a non-transitory tangible medium.
Operation of the equivalence verification apparatus 100 corresponds to an equivalence verification method. A procedure for the equivalence verification method corresponds to a procedure for the equivalence verification program.
The equivalence verification method will be described with reference to
In step S101, the acceptance unit 192 accepts pre-change source code and post-change source code. The storage unit 191 stores the accepted pre-change source code and post-change source code.
The pre-change source code is source code in pre-change software. For example, the pre-change source code is source code which is conventionally created.
The post-change source code is source code in post-change software. For example, the post-change source code is source code which is obtained by carrying out refactoring on the basis of the pre-change source code.
The pre-change source code 210 includes six functions (Func_F_x, _Func_E_x, Func_D_x, Func_C_x, Func_B_x, and Func_A_x).
The post-change source code 220 includes five functions (Func_E_y, Func_D_y, Func_C_y, Func_B_y, and Func_A_y).
Colons and ellipses in the pre-change source code 210 and the post-change source code 220 each indicate an omission of a description.
Referring back to
In step S110, the call graph generation unit 110 generates a pre-change call graph and a post-change call graph by analyzing the pre-change source code and the post-change source code. The storage unit 191 stores the pre-change call graph and the post-change call graph.
The pre-change call graph is a call graph for the pre-change source code.
The post-change call graph is a call graph for the post-change source code.
A call graph is data indicating a call relationship among functions and can be generated by a conventional technique.
For example, the call graph generation unit 110 generates the pre-change call graph by receiving, as input, the pre-change source code and executing egypt. The call graph generation unit 110 also generates the post-change call graph by receiving, as input, the post-change source code and executing egypt. Egypt is an existing tool for generating a call graph.
The pre-change call graph 231 indicates that Func_B_x and Func_C_x are called by Func_A_x, that Func_D_x and Func_E_x are called by Func_B_x, and that Func_F_x is called by Func_C_x.
The post-change call graph 232 indicates that Func_B_y and Func_C_y are called by Func_A_y and that Func_D_y and Func_E_y are called by Func_B_y.
Referring back to
In step S120, the acceptance unit 192 accepts a function correspondence table. The storage unit 191 stores the accepted function correspondence table.
The function correspondence table is data indicating a correspondence relationship between pre-change functions and post-change functions.
A pre-change function is a function included in the pre-change source code.
A post-change function is a function included in the post-change source code.
The function correspondence table, in particular, indicates correspondence relationships between pre-change functions and post-change functions in a reverse call order for the pre-change functions or the post-change functions.
The reverse call order is the opposite of a call order.
The call order is an order from a superordinate to a subordinate in a call relationship. A superordinate in a call relationship is a function as a caller, and a subordinate in the call relationship is a function as a callee.
A function at the bottom of the call order, that is, a function at the top of the reverse call order is referred to as a function at an extremity.
For example, the function correspondence table is accepted by the procedure below.
The display unit 193 first displays the pre-change call graph on the display.
A verifier refers to the pre-change call graph and judges the reverse call order for the pre-change functions.
The verifier then refers to a pre-change specification and a post-change specification and judges a post-change function corresponding to each pre-change function in the reverse call order for the pre-change functions.
The verifier then manipulates the input devices to input the function correspondence table to the equivalence verification apparatus 100.
The acceptance unit 192 accepts the input function correspondence table.
The function correspondence table 233 associates functions included in the pre-change source code 210 and functions included in the post-change source code 220 with each other.
A column for pre-change function shows the names of the functions included in the pre-change source code 210 while a column for post-change function shows the names of the functions included in the post-change source code 220. A hyphen indicates absence of a corresponding function.
In the column for pre-change function, the names of the functions included in the pre-change source code 210 are arranged in the reverse call order.
A first row of the function correspondence table 233 indicates absence of a post-change function corresponding to Func_F_x. Second to sixth rows of the function correspondence table 233 indicate that Func_#_x and Func_#_y correspond to each other. “#” represents A, B, C, D, or E.
A pre-change function at an extremity is Func_F_x.
Referring back to
In step S131, the control unit 120 selects one unselected pre-change function. More specifically, the control unit 120 selects the pre-change functions in order from the pre-change function at the extremity. For example, the control unit 120 selects one pre-change function in the order indicated by the function correspondence table.
In a description of step S132 and step S133, a selected pre-change function refers to the pre-change function selected in step S131.
In step S132, the control unit 120 judges, using the function correspondence table, whether there is any post-change function corresponding to the selected pre-change function.
More specifically, the control unit 120 selects a row containing the name of the selected pre-change function from the function correspondence table 233 and judges whether there is any post-change function name in the selected row. If there is any post-change function name in the selected row, there is a post-change function corresponding to the selected pre-change function.
If the selected pre-change function is Func_B_x, the control unit 120 selects the fifth row from the function correspondence table 233 in
If the selected pre-change function is Func_F_x, the control unit 120 selects the first row from the function correspondence table 233 in
If there is any post-change function corresponding to the selected pre-change function, the process advances to step S140.
If there is no post-change function corresponding to the selected pre-change function, the process advances to step S133.
In the description below, a combination of a selected pre-change function and a post-change function corresponding to the selected pre-change function will be referred to as a corresponding combination. The functions included in the corresponding combination will also be referred to as target functions.
In step S133, the control unit 120 registers the selected pre-change function as an inequivalent function in an equivalence judgment table.
An inequivalent function refers to a function included in a corresponding combination which is inequivalent, that is, a target function which is inequivalent.
The equivalence judgment table is data for managing the degree of equivalence between target functions and so on.
The equivalence judgment table 240 in
The equivalence judgment table 240 has respective columns for target function, counter-example, degree of equivalence, pre-change source code, and post-change source code.
The column for target function shows target functions. Func_F_x is identified as Func_F.
The column for degree of equivalence shows the degree of equivalence between the target functions.
Diagonal lines in the column for counter-example, the column for pre-change source code, and the column for post-change source code indicate absence of the other target function corresponding to one target function.
The respective columns for counter-example, pre-change source code, and post-change source code will be described later.
Referring back to
In step S140, the equivalence verification apparatus 100 performs full equivalence verification and partial equivalence verification on the corresponding combination.
The full equivalence verification is a process for judging whether the two functions are fully equivalent.
The term “fully equivalent” means that the two functions are equivalent for every input value.
The term “equivalent” means that an output value from one function coincides with an output value from the other function if the same input value is given to the two functions. In other words, the term “equivalent” means that the two pieces of source code coincide in the substance of logical operations, that is, that the same output values are obtained when the pieces of source code are executed with the same input value.
The partial equivalence verification is a process for judging whether the two functions are partially equivalent.
The term “partially equivalent” means that the two functions are equivalent for some input values. In other words, the term “partially equivalent” means that output values always coincide not when the pieces of source code are executed with every input value but when the pieces of source code are executed with each of some input values.
The details of step S140 will be described later.
After step S133 or step S140, the process advances to step S134.
In step S134, the control unit 120 judges whether there is any unselected pre-change function.
If there is any unselected pre-change function, the process advances to step S131.
If there is no unselected pre-change function, the process for the equivalence verification method ends.
A procedure for a verification process (S140) will be described with reference to
Step S141 and step S142 correspond to the full equivalence verification.
In step S141, the equivalence verification unit 130 generates a verification file.
The verification file is data which serves as an input for equivalence verification.
The equivalence verification is a process for verifying the equivalence between the two functions. That is, the equivalence verification is a process for judging whether the two functions are equivalent.
More specifically, the equivalence verification unit 130 generates an input coincidence statement, call statements, and an output coincidence statement and describes the statements in a file. The file thus obtained is the verification file.
The input coincidence statement is a statement indicating the precondition that an input value to one target function coincides with an input value to the other target function. With the input coincidence statement, the same input value is given to the both target functions.
The call statements are statements for calling and executing the target functions.
The output coincidence statement is a statement indicating the postcondition that an output value from one target function coincides with an output value from the other target function.
The verification file 250 is a verification file in a case where Func_B_x and Func_B_y are the target functions.
The verification file 250 includes an input coincidence statement 251, two call statements (252 and 253), and an output coincidence statement 254.
The input coincidence statement 251 indicates the precondition that input_x coincides with input_y. input_x is an input value to Func_B_x while input_y is an input value to Func_B_y.
With the call statement 252, Func_B_x is called and executed with input _x as an input value. An output value from Func_B_x is substituted for output_x.
With the call statement 253, Func_B_y is called and executed with input_y as an input value. An output value from Func_B_y is substituted for output.
The output coincidence statement 254 indicates the postcondition that output_x coincides with output_y.
A character string with a double slash indicates a comment.
In step S142, the equivalence verification unit 130 performs the equivalence verification using the verification file.
More specifically, the equivalence verification unit 130 performs the equivalence verification with the verification file, the pre-change source code, and the post-change source code as input. The equivalence verification is a conventional technique.
The equivalence verification executes the pre-change source code and the post-change source code in accordance with a description in the verification file, and the equivalence between the pre-change source code and the post-change source code is verified on the basis of a result of the execution.
For example, the equivalence verification unit 130 performs the equivalence verification by executing a tool called bounded model checking for C/C++ (CBMC).
The equivalence verification unit 130 then registers a result of the equivalence verification in the equivalence judgment table.
The equivalence judgment table 240 in
In the column for target function, Func_E_x and Func_E_y are identified as Func_E, Func_D_x and Func_D _y are identified as Func_D, and Func_C_x and Func_C_y are identified as Func_C.
Since Func_F, Func_E, Func_D, and Func_C are functions subordinate to Func_B in a call relationship, Func_F, Func_E, Func_D, and Func_C are already verified. For this reason, pieces of information on the degrees of equivalence for Func_F, Func_E, Func_D, and Func_C are registered in the equivalence judgment table 240.
The equivalence judgment table 240 in
In the equivalence judgment table 240, 0 is registered as a result of the equivalence verification on Func_B in the column for counter-example.
The column for counter-example shows an input value in a case where an output value from one target function does not coincide with an output value from the other target function. Note that both an input value and an output value or an output value alone may be registered in the column for counter-example.
In the column for counter-example, an ellipse indicates an omission of a description, and a hyphen indicates absence of a corresponding value.
Respective fields for degree of equivalence, pre-change source code, and post-change source code for Func_B are still blank. Note that inequivalence may be provisionally registered in the field for degree of equivalence for Func_B.
Referring back to
In step S143, the identifier setting unit 140 sets a branching point identifier (branching point identifiers) for each of the target function in the pre-change source code and the target function in the post-change source code.
A branching point identifier is an identifier for identification of a branching point.
More specifically, the identifier setting unit 140 sets a branching point identifier (branching point identifiers) for each source code of the pre-change source code and the post-change source code in the manner below.
The identifier setting unit 140 first selects a target function from each piece of source code.
The identifier setting unit 140 then finds a branching statement (branching statements) in the target function. A branching statement is a statement for bifurcating a path in accordance with a condition. Concrete branching statements are an if statement and an else statement. The path is a processing route in the piece of source code.
The identifier setting unit 140 then regards each of the beginning of the target function and the branching statement(s) as a branching point and generates a branching point identifier for each branching point.
The identifier setting unit 140 then generates an updating statement for each branching point identifier. The updating statement is a statement which updates a value of the branching point identifier.
The identifier setting unit 140 adds an updating statement to each branching point.
The pre-change source code 210 in
Updating statements (211 to 214) are added to Func_F_x, Func_E_x, Func_D_x, and Func_C_x that are functions subordinate to Func_B_x in a call relationship.
In the pre-change source code 210, countN_x is a branching point identifier. “N” represents an integer.
The pre-change source code 210 in
Three updating statements (215 to 216) are added to Func_B_x.
The post-change source code 220 in
Updating statements (221 to 223) are added to Func_E_y, Func_D_y, and Func_B_y that are functions subordinate to Func_B_y in a call relationship.
In the post-change source code 220, countN_y is a branching point identifier. “N” character represents an integer.
The post-change source code 220 in
Three updating statements (224 to 226) are added to Func_B_y.
Referring back to
In step S144, the identifier setting unit 140 registers, for each callee function in each target function, a branching point identifier in an identifier correspondence table, in association with the callee function.
The callee function is a function to be called. The callee function in the target function is a function to be called by the target function.
The identifier correspondence table is data for managing correspondence relationships between callee functions and branching point identifiers.
More specifically, the identifier setting unit 140 registers a branching point identifier in the manner below.
The identifier setting unit 140 first extracts a call statement from a target function in source code and extracts a function name from the call statement. A function identified by the extracted function name is a callee function.
The identifier setting unit 140 then refers to the source code from the call statement toward the beginning of the target function and extracts a branching point identifier which is first found. The extracted branching point identifier is a branching point identifier corresponding to the callee function.
The identifier setting unit 140 registers the function name of the callee function and the branching point identifier corresponding to the callee function in the identifier correspondence table.
The identifier correspondence table 260 in
The identifier correspondence table 260 has respective columns for target function, pre-change source code, and post-change source code. Each of the column for pre-change source code and the column for post-change source code includes a column for branching point identifier and a column for callee function.
As illustrated in
As illustrated in
The identifier correspondence table 260 in
As illustrated in
As illustrated in
As illustrated in
As illustrated in
Referring back to
In step S145, the equivalence verification unit 130 judges whether a result of the equivalence verification in step S142 shows equivalence.
If the result of the equivalence verification shows equivalence, the process advances to step S146.
If the result of the equivalence verification does not show equivalence, the process advances to step S200.
In step S146, the equivalence verification unit 130 registers the target functions as equivalent functions in the equivalence judgment table.
The equivalent functions are functions included in a corresponding combination which is fully equivalent, that is, target functions which are fully equivalent.
In step S200, the equivalence verification apparatus 100 performs the partial equivalence verification on the corresponding combination. That is, the equivalence verification apparatus 100 judges whether the target functions are partially equivalent to each other.
A procedure for the partial equivalence verification (S200) will be described with reference to
In step S210, the partial verification judgment unit 150 judges whether an inequivalent path and a non-inequivalent path are both included in each target function.
Note that the target function refers to the pre-change function or the post-change function. That is, it is judged in step S210 whether an inequivalent path and a non-inequivalent path are both included in at least one of the pre-change function and the post-change function.
The inequivalent path is a path in which an inequivalent function is called.
The non-inequivalent path is a path in which a non-inequivalent function is called.
The non-inequivalent function is a function which is not an inequivalent function. Concrete examples of the non-inequivalent function are an equivalent function and a partially equivalent function.
The partially equivalent function is a function included in a corresponding combination which is partially equivalent, that is, a target function which is partially equivalent.
A corresponding combination including a target function, in which an inequivalent path and a non-inequivalent path are both included, is referred to as a partial verification combination.
If an inequivalent path and a non-inequivalent path are both included in one target function, that is, the corresponding combination is a partial verification combination, the process advances to step S220.
If either one of an inequivalent path and a non-inequivalent path is not included in each target function, that is, the corresponding combination is not a partial verification combination, the process advances to step S233.
A procedure for partial verification judgment (S210) will be described with reference to
In step S211, the partial verification judgment unit 150 judges whether a target function is a function which calls a plurality of callee functions.
More specifically, the partial verification judgment unit 150 makes the judgment using the identifier correspondence table 260 in the manner below.
The partial verification judgment unit 150 first refers to the identifier correspondence table 260 and counts the number of callee functions which are associated with the target function.
The partial verification judgment unit 150 then judges whether the number of callee functions associated with the target function is not less than 2.
If the number of callee functions associated with the target function is not less than 2, the target function is a function which calls a plurality of callee functions.
If the target function is a function which calls a plurality of callee functions, the process advances to step S212.
If the target function is not a function which calls a plurality of callee functions, the process advances to step S215.
If the target function is FuncB_x, the number of callee functions (Func_D_x and Func_E_x) associated with the target function is 2 in the identifier correspondence table 260 in
If the target function is FuncB_y, the number of callee functions (Func_D_y and Func_E_y) associated with the target function is 2 in the identifier correspondence table 260 in
Thus, if the corresponding combination is a combination of Func_B_x and Func_B_y, the process advances to step S212.
In step S212, the partial verification judgment unit 150 judges whether an inequivalent function and a non-inequivalent function are both included in the plurality of callee functions.
More specifically, the partial verification judgment unit 150 makes the judgment using the identifier correspondence table 260 and the equivalence judgment table 240 in the manner below.
The partial verification judgment unit 150 first refers to the identifier correspondence table 260 and identifies the plurality of callee functions associated with the target function.
The partial verification judgment unit 150 then refers to the equivalence judgment table 240 and identifies a plurality of degrees of equivalence corresponding to the plurality of callee functions.
The partial verification judgment unit 150 judges whether the condition that at least any one of the plurality of degrees of equivalence be inequivalence and the condition that at least any one of the plurality of degrees of equivalence be equivalence or partial equivalence are met.
If at least any one of the plurality of degrees of equivalence is inequivalence, and at least any one of the plurality of degrees of equivalence is equivalence or partial equivalence, an inequivalent function and a non-inequivalent function are both included in the plurality of callee functions.
If an inequivalent function and a non-inequivalent function are both included in the plurality of callee functions, the process advances to step S213.
If one of an inequivalent function and a non-inequivalent function is not included in the plurality of callee functions, the process advances to step S215.
If the target function is FuncB_x, callee functions associated with the target function are Func_D _x and Func_E _x in the identifier correspondence table 260 in
Thus, if the corresponding combination is the combination of Func_B_x and Func_B_y, the process advances to step S213.
In step S213, the partial verification judgment unit 150 judges whether a branching point identifier for an inequivalent function is different from a branching point identifier for a non-inequivalent function.
The branching point identifier for the inequivalent function is a branching point identifier corresponding to a point where the inequivalent function is called.
The branching point identifier for the non-inequivalent function is a branching point identifier corresponding to a point where the non-inequivalent function is called.
More specifically, the partial verification judgment unit 150 makes the judgment using the identifier correspondence table 260 in the manner below.
The partial verification judgment unit 150 first extracts, for each of an inequivalent function (inequivalent functions), a branching point identifier associated with the inequivalent function from the identifier correspondence table 260. The extracted branching point identifier is a branching point identifier for the inequivalent function.
The partial verification judgment unit 150 also extracts, for each of a non-inequivalent function (non-inequivalent functions), a branching point identifier associated with the non-inequivalent function from the identifier correspondence table 260. The extracted branching point identifier is a branching point identifier for the non-inequivalent function.
The partial verification judgment unit 150 compares, for each combination of an inequivalent function and a non-inequivalent function, a branching point identifier for the inequivalent function with a branching point identifier for the non-inequivalent function.
If a branching point identifier for an inequivalent function does not coincide with a branching point identifier for a non-inequivalent function in at least any combination, the branching point identifier corresponding to the inequivalent function is different from a branching point corresponding to the non-inequivalent function.
If a branching point identifier (branching point identifiers) corresponding to an inequivalent function (inequivalent functions) is (are) different from a branching point (branching points) corresponding to a non-inequivalent function (non-inequivalent functions), the process advances to step S214.
If the branching point identifier(s) corresponding to the inequivalent function(s) coincides (coincide) with a branching point (branching points) corresponding to the non-inequivalent function(s), the process advances to step S215.
In step S214, the partial verification judgment unit 150 judges that an inequivalent path and a non-inequivalent path are both included in the target function.
In step S215, the partial verification judgment unit 150 judges that one of an inequivalent path and a non-inequivalent path is not included in each target function.
Referring back to
In step S220, the partial verification unit 160 excludes an inequivalent path and performs the equivalence verification on the target combination. That is, the partial verification unit 160 judges whether the target functions are equivalent to each other for a non-inequivalent path.
A procedure for partial verification (S220) will be described with reference to
In step S221, the partial verification unit 160 adds first exclusion control statements to the verification file.
A first exclusion control statement is a statement for excluding a first inequivalent path.
The first inequivalent path is an inequivalent path in a target function.
An inequivalent function called in the first inequivalent path is referred to as a first inequivalent function.
More specifically, the partial verification unit 160 adds first exclusion control statements in the manner below.
The partial verification unit 160 first generates first exclusion control statements.
A first exclusion control statement is a statement which judges whether a value of a first branching point identifier coincides with a pre-update value (an initial value). If the value of the first branching point identifier does not coincide with the pre-update value, an input which meets a condition for passage through a first inequivalent path is excluded from the equivalence verification.
The first branching point identifier is a branching point identifier for a first inequivalent function, that is, a branching point identifier corresponding to a point where the first inequivalent function is called.
The partial verification unit 160 then selects respective call statements which call the target functions from the verification file.
The partial verification unit 160 adds the respective first exclusion control statements after the selected call statements.
The verification file 250 includes a first exclusion control statement 255 after the call statement 252. The verification file 250 also includes a first exclusion control statement 256 after the call statement 253.
With the first exclusion control statement 255, whether a value of count7_x coincides with a pre-update value is judged. count7_x is a branching point identifier for Func_E_x (see
With the first exclusion control statement 256, whether a value of count6_y coincides with a pre-update value is judged. count6_y is a branching point identifier for Func_E_y (see
Referring back to
In step S222, the partial verification unit 160 judges whether each target function is a function which calls a partially equivalent function.
That is, the partial verification unit 160 judges whether a partially equivalent function is included in a plurality of callee functions called by the target function.
More specifically, the partial verification unit 160 makes the judgment using the identifier correspondence table 260 and the equivalence judgment table 240 in the manner below.
The partial verification unit 160 first refers to the identifier correspondence table 260 and identifies the plurality of callee functions associated with the target function.
The partial verification unit 160 then refers to the equivalence judgment table 240 and identifies a plurality of degrees of equivalence corresponding to the plurality of callee functions.
The partial verification unit 160 judges whether at least any one of the plurality of degrees of equivalence is partial equivalence.
If at least any one of the plurality of degrees of equivalence is partial equivalence, the target function is a function which calls a partially equivalent function.
If the target function is a function which calls a partially equivalent function, the process advances to step S223.
If the target function is not a function which calls a partially equivalent function, the process advances to step S224.
Callee functions for Func_B_x are Func_D_x and Func_E_x (see
Callee functions for Func_B_y are Func_D_y and Func_E_y (see
Thus, if the corresponding combination is the combination of Func_B_x and Func_B_y, the process advances to step S224.
In step S223, the partial verification unit 160 adds second exclusion control statements to the verification file.
A second exclusion control statement is a statement for excluding a second inequivalent path.
The second inequivalent path is an inequivalent path in a partially equivalent function called by a target function.
An inequivalent function which is called in the second inequivalent path is referred to as a second inequivalent function.
More specifically, the partial verification unit 160 adds second exclusion control statements in the manner below.
The partial verification unit 160 first generates second exclusion control statements.
A second exclusion control statement is a statement which judges whether a value of a second branching point identifier coincides with a pre-update value (an initial value). If the value of the second branching point identifier does not coincide with the pre-update value, an input which meets a condition for passage through a second inequivalent path is excluded from the equivalence verification.
The second branching point identifier is a branching point identifier for a second inequivalent function, that is, a branching point identifier corresponding to a point where the second inequivalent function is called.
The partial verification unit 160 then selects respective call statements which call partially equivalent functions from the verification file.
The partial verification unit 160 adds the respective second exclusion control statements after the selected call statements.
In step S224, the partial verification unit 160 performs the equivalence verification using the verification file, the pre-change source code, and the post-change source code.
A method for the equivalence verification is the same as that in step S142 of
Referring back to
In step S231, the partial verification unit 160 judges whether a result of the equivalence verification in step S220 shows equivalence.
If the result of the equivalence verification shows equivalence, the process advances to step S232.
If the result of the equivalence verification does not show equivalence, the process advances to step S233.
In step S232, the partial verification unit 160 registers the target functions as partially equivalent functions in the equivalence judgment table.
Additionally, the partial verification unit 160 registers a branching point identifier for a first inequivalent function and a branching point identifier for a second inequivalent function in the equivalence judgment table.
The equivalence judgment table 240 in
Partial equivalence is registered in a field for degree of equivalence corresponding to Func_B.
A column for pre-change source code is a column for a pre-change function which is a target function.
A column for post-change source code is a column for a post-change function which is a target function.
The respective columns for pre-change source code and post-change source code show a branching point identifier for a first inequivalent function and a branching point identifier for a second inequivalent function. A hyphen indicates absence of a first inequivalent function and a second inequivalent function.
A first inequivalent function for Func_B_x is Func_E_x (see
A first inequivalent function for Func_B_y is Func_E_y (see
In step S233, the partial verification unit 160 registers the target functions as inequivalent functions in the equivalence judgment table.
A concrete example where step S223 (see
The target functions are Func_A_x and Func_A_y.
The pre-change source code 210 in
Three updating statements (218, 219 and 2110) are added to Func_A_x.
The post-change source code 220 in
Three updating statements (227 to 229) are added to Func_A_y.
The identifier correspondence table 260 in
As illustrated in
As illustrated in
As illustrated in
As illustrated in
The verification file 250 includes the first exclusion control statement 255 after the call statement 252. Additionally, the verification file 250 includes the first exclusion control statement 256 after the call statement 253.
With the first exclusion control statement 255, whether a value of count10_x coincides with a pre-update value is judged. count10_x is a branching point identifier for Func_C_x (see
With the first exclusion control statement 256, whether a value of count9_y coincides with a pre-update value is judged. count9_y is a branching point identifier for Func_C_y (see
In step S222 (see
Callee functions for Func_A_x are Func_B_x and Func_C_x (see
Callee functions for Func_A_y are Func_B_y and Func_C y (see
Thus, if the corresponding combination is a combination of Func_A_x and Func_A_y, the process advances to step S223.
In step S223 (see
The verification file 250 includes a second exclusion control statement 257 after the call statement 252. The verification file 250 also includes a second exclusion control statement 258 after the call statement 253.
With the second exclusion control statement 257, whether the value of count7_x coincides with the pre-update value is judged. count7_x is the branching point identifier for Func_E_x (see
With the second exclusion control statement 258, whether the value of count6_y coincides with the pre-update value is judged. count6_y is the branching point identifier for Func_B_y (see
The equivalence judgment table 240 in
Partial equivalence is registered in a field for degree of equivalence corresponding to Func_A.
A first inequivalent function for Func_A_x is Func_C_x (see
A second inequivalent function for Func_A_x is Func_E_x (see
Similarly, count9_y and count6_y are registered in a field for post-change source code corresponding to Func_A.
The equivalence verification apparatus 100 performs equivalence verification in a state where a path through an inequivalent callee function is excluded by using a result regarding the degree of equivalence for a callee function in a target function. This expands a range which is judged as not inequivalent. As a result, a range for analyzing the cause of inequivalence, that is, the cause of a bug narrows, which shortens a manual analysis time.
A form for judging whether a call path from a start function to an end function is an inequivalent path will be described with reference to
A configuration of an equivalence verification apparatus 100 will be described with reference to
The equivalence verification apparatus 100 includes, as software elements, a path verification unit 170, in addition to a call graph generation unit 110, a control unit 120, an equivalence verification unit 130, an identifier setting unit 140, a partial verification judgment unit 150, and a partial verification unit 160.
An equivalence verification program causes a computer to function as the call graph generation unit 110, the control unit 120, the equivalence verification unit 130, the identifier setting unit 140, the partial verification judgment unit 150, the partial verification unit 160, and the path verification unit 170.
A path verification method will be described with reference to
The path verification method is performed on one of pre-change source code and post-change source code. The path verification method will be described below using the post-change source code as an object.
In step S301, an acceptance unit 192 accepts a start function identifier and an end function identifier (end function identifiers).
The start function identifier is an identifier for a function which is designated as a start function.
The end function identifier is an identifier for a function which is designated as an end function.
A path from the start function to the end function is referred to as a call path.
The call path indicates a function call order from the start function to the end function.
For example, the start function identifier and the end function identifier(s) are accepted by the procedure below.
The path verification unit 170 first generates a call graph chart by executing Graphviz with a post-change call graph 232 as input.
Graphviz is a tool for generating a call graph chart.
A call graph chart is a chart representing a call relationship indicated by a call graph.
A display unit 193 then displays the call graph chart on a display.
A verifier then refers to the call, graph chart, determines the start function and the end function(s), and inputs the start function identifier and the end function identifier(s) to the equivalence verification apparatus 100. If inputting of the end function identifier(s) is omitted, an identifier for a function at an extremity is assumed to be input as each end function identifier.
The acceptance unit 192 accepts the input start function identifier and end function identifier(s).
The call graph chart 270 is a call graph chart corresponding to the post-change call graph 232 in
Referring back to
In step S310, the path verification unit 170 extracts a third branching point identifier for each call path.
The third branching point identifier is a branching point identifier for a callee function included in the call path. The branching point identifier for the callee function is a branching point identifier corresponding to a point where the callee function is called.
Third branching point identifier extraction (S310) will be described with reference to
In step S311, the path verification unit 170 selects one function in order from the start function.
In a description of steps S312 to S315, a target function refers to the function selected in step S311.
In step S312, the path verification unit 170 judges whether the target function is a function which calls a plurality of callee functions.
More specifically, the path verification unit 170 makes the judgment using an identifier correspondence table 260 in the manner below.
The path verification unit 170 first refers to the identifier correspondence table 260 and counts the number of callee functions which are associated with the target function.
The path verification unit 170 then judges whether the number of callee functions associated with the target function is not less than 2.
If the number of callee functions associated with the target function is not less than 2, the target function is a function which calls a plurality of callee functions.
If the target function is a function which calls a plurality of callee functions, the process advances to step S313.
If the target function is not a function which calls a plurality of callee functions, the process advances to step S316.
In the identifier correspondence table 260 in
Thus, if the target function is Func_A_y, the process advances to step S313.
In step S313, the path verification unit 170 judges whether a plurality of third branching point identifiers corresponding to the plurality of callee functions are all the same.
More specifically, the path verification unit 170 makes the judgment using the identifier correspondence table 260 in the manner below.
The path verification unit 170 first extracts, for each callee function, a branching point identifier corresponding to the callee function from the identifier correspondence table 260.
The path verification unit 170 then judges whether all the extracted branching point identifiers are the same.
If the plurality of branching point identifiers corresponding to the plurality of callee functions are all the same, the process advances to step S316.
If at least any one of the plurality of branching point identifiers corresponding to the plurality of callee functions is different from the other branching point identifiers, the process advances to step S314.
In the identifier correspondence table 260 in
Thus, if the plurality of callee functions are Func_B_y and Func_C_y, the process advances to step S314.
In step S314, the path verification unit 170 registers a plurality of call paths in a path judgment table.
The path judgment table is data for managing the degree of equivalence and a third branching point identifier for each call path.
More specifically, the path verification unit 170 registers the plurality of call paths in the manner below.
The path verification unit 170 judges whether a call path including the target function is registered in the path judgment table.
If a call path including the target function is registered in the path judgment table, the path verification unit 170 registers call paths, equal in number to the plurality of callee functions, in the path judgment table by copying the call path including the target function. The path verification unit 170 registers a different callee function for each call path.
If no call path including the target function is registered in the path judgment table, the path verification unit 170 registers, for each callee function, a call path indicating the target function and the callee function in the path judgment table. The path verification unit 170 registers a different callee function for each call path.
In step S315, the path verification unit 170 registers a plurality of branching point identifiers in the path judgment table. Each of the plurality of branching point identifiers to be registered is a third branching point identifier.
More specifically, the path verification unit 170 extracts, for each call path registered in step S314, a branching point identifier for the callee function from the identifier correspondence table 260 and registers the extracted branching point identifier in the path verification unit 170.
In step S316, the path verification unit 170 judges whether there is any unselected function.
If there is any unselected function, the process advances to step S311. If there is no unselected function, the third branching point identifier extraction (S310) ends.
The path judgment table 280 in
A start function is Func_A_y, and end functions are Func_C_Y, Func_D_Y, and Func_E_Y.
Callee functions in a call path No. 1 are Func_B_y and Func_D_y. A branching point identifier for Func_B_y is count8_y, and a branching point identifier for FuncD_y is count5_y (see
Callee functions in a call path No. 2 are Func_B_y and Func_E_y. The branching point identifier for Func_B_y is count8_y, and a branching point identifier for FuncE_y is count6_y (see
A callee function in a call path No. 3 is Func_C_y. A branching point identifier for Func_C_y is count9_y (see
Referring back to
In step S321, the path verification unit 170 selects one unselected call path.
In a description of steps S322 to S324, a call path refers to the call path selected in step S321.
In step S322, the path verification unit 170 judges whether at least any third branching point identifier for the call path coincides with either one of a first branching point identifier for the start function and a second branching point identifier for the start function.
More specifically, the path verification unit 170 makes the judgment in the manner below.
The path verification unit 170 first extracts a third branching point identifier (third branching point identifiers) for the call path from a column for branching point identifier in the path judgment table 280.
The path verification unit 170 then extracts the first branching point identifier for the start function and the second branching point identifier for the start function from a column for post-change source code in the equivalence judgment table 240.
The path verification unit 170 then compares, for each third branching point identifier for the call path, the third branching point identifier with each of the first branching point identifier for the start function and the second branching point identifier for the start function.
The path verification unit 170 judges, on the basis of a result of the comparison, whether at least any one of the third branching point identifier(s) for the call path coincides with either one of the first branching point identifier for the start function and the second branching point identifier for the start function.
If at least any one of the third branching point identifier(s) for the call path coincides with either one of the first branching point identifier for the start function and the second branching point identifier for the start function, the process advances to step S323.
If no third branching point identifier for the call path coincides with the first branching point identifier for the start function and the second branching point identifier for the start function, the process advances to step S324.
In the path judgment table 280 in
A first branching point identifier and a second branching point identifier for Func_A_y that is the start function are count6_y and count9_y (see
In this case, no third branching point identifier coincides with the first branching point identifier and the second branching point identifier, the process advances to step S324.
In the path judgment table 280 in
The first branching point identifier and the second branching point identifier for Func_A_y that is the start function are count6_y and count9_y (see
Since the third branching point identifiers and the first branching point identifier share count6_y in this case, the process advances to step S323.
In the path judgment table 280 in
The first branching point identifier and the second branching point identifier for Func_A_y that is the start function are count6_y and count9_y (see
Since the third branching point identifier and the second branching point identifier share count9_y in this case, the process advances to step S323.
In step S323, the path verification unit 170 registers the call path as an inequivalent path in the path judgment table.
In step S324, the path verification unit 170 registers the call path as an equivalent path in the path judgment table.
In step S325, the path verification unit 170 judges whether there is any unselected call path.
If there is any unselected call path, the process advances to step S321.
If there is no unselected call path, the process for the path verification method ends.
In the path judgment table 280, the call path No. 1 is an equivalent path in which no inequivalent function is called. The call path No. 2 and the call path No. 3 are inequivalent paths, in each of which an inequivalent function is called.
The degree of equivalence for a call path can be verified using a result of Embodiment 1. This expands a range for a path (an equivalent path) which is judged as not inequivalent. As a result, for example, generation of a functional test case and designation of an expected output value can be omitted for an equivalent path, which reduces man-hours required for verification.
In each embodiment, functions of the equivalence verification apparatus 100 may be implemented by hardware.
The equivalence verification apparatus 100 includes a processing circuit 990. The processing circuit 990 is also referred to as processing circuitry.
The processing circuit 990 is a dedicated electronic circuit which implements the call graph generation unit 110, the control unit 120, the equivalence verification unit 130, the identifier setting unit 140, the partial verification judgment unit 150, the partial verification unit 160, the path verification unit 170, and the storage unit 191.
For example, the processing circuit 990 is a single circuit, a composite circuit, a programmed processor, a parallel-programmed processor, a logic IC, a GA, an ASIC, an FPGA, or a combination thereof GA stands for Gate Array, ASIC stands for Application Specific Integrated Circuit, and FPGA stands for Field Programmable Gate Array.
The equivalence verification apparatus 100 may include a plurality of processing circuits which replace the processing circuit 990. The plurality of processing circuits share roles of the processing circuit 990.
The embodiments are illustrative of preferred forms and are not intended to limit the technical scope of the present invention. Each embodiment may be partially practiced or may be practiced in combination with another form. Each procedure described using a flowchart and the like may be appropriately changed.
100: equivalence verification apparatus; 110: call graph generation unit; 120: control unit; 130: equivalence verification unit; 140: identifier setting unit; 150: partial verification judgment unit; 160: partial verification unit; 170: path verification unit; 191: storage unit; 192: acceptance unit; 193: display unit; 210: pre-change source code; 211 to 219: updating statement; 2110: updating statement; 220: post-change source code; 221 to 229: updating statement; 231: pre-change call graph; 232: post-change call graph; 233: function correspondence table; 240: equivalence judgment table; 250: verification file; 251: input coincidence statement; 252: call statement; 253: call statement; 254: output coincidence statement; 255: first exclusion control statement; 256: first exclusion control statement; 257: second exclusion control statement; 258:
second exclusion control statement; 260: identifier correspondence table; 270: call graph chart; 280: path judgment table; 901: processor; 902: memory; 903: auxiliary storage device; 904: input/output interface; 990: processing circuit
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/JP2017/006598 | 2/22/2017 | WO | 00 |