CN112100062B - Software and hardware integrated AADL (architecture analysis and design language) model reliability evaluation method based on generalized stochastic Petri network - Google Patents

Software and hardware integrated AADL (architecture analysis and design language) model reliability evaluation method based on generalized stochastic Petri network Download PDF

Info

Publication number
CN112100062B
CN112100062B CN202010891607.9A CN202010891607A CN112100062B CN 112100062 B CN112100062 B CN 112100062B CN 202010891607 A CN202010891607 A CN 202010891607A CN 112100062 B CN112100062 B CN 112100062B
Authority
CN
China
Prior art keywords
error
model
transaction unit
hardware
gspn
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010891607.9A
Other languages
Chinese (zh)
Other versions
CN112100062A (en
Inventor
陆寅
秦树东
董云卫
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Northwestern Polytechnical University
Original Assignee
Northwestern Polytechnical University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Northwestern Polytechnical University filed Critical Northwestern Polytechnical University
Priority to CN202010891607.9A priority Critical patent/CN112100062B/en
Publication of CN112100062A publication Critical patent/CN112100062A/en
Application granted granted Critical
Publication of CN112100062B publication Critical patent/CN112100062B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/3604Software analysis for verifying properties of programs

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Stored Programmes (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention relates to an evaluation method of an AADL (architecture analysis and design language) software and hardware comprehensive reliability model based on a generalized stochastic Petri network, which comprises the following steps of firstly, constructing the software and hardware comprehensive AADL reliability model; then converting basic error model elements inside the transaction unit in the transaction-level error model of the operating platform component into basic elements in the GSPN; converting the connection relation between transaction units describing the interaction of data streams inside the operating platform component; converting the connection relation between the operation platform components defined in the architecture model and the binding relation between the software components and the operation platform components; and compounding the GSPN submodel obtained by converting the system operation platform component and the GSPN submodel obtained by converting the system software component into a GSPN model integrating software and hardware of the system, calling a GSPN calculating tool on the basis, and calculating the stable probability distribution of the system to finish the reliability evaluation of the software and hardware integration.

Description

Software and hardware integrated AADL (architecture analysis and design language) model reliability evaluation method based on generalized stochastic Petri network
Technical Field
The invention relates to an AADL model reliability assessment method, in particular to a software and hardware integrated AADL model reliability assessment method.
Background
The document "a method for converting a reliability model described based on AADL into a GSPN model" proposes a model conversion method, which establishes a mapping relationship between AADL model elements and GSPN reliability model elements, and can convert basic elements and model relationships (including basic error model elements, component outward error propagation rules, component acceptance error propagation rules, dependency relationships in error models, and the like) in an error model designed by Architecture Analysis and Design Language (AADL). However, the AADL reliability model established in the implementation process of the method focuses more on the description of the behavior and error propagation mechanism of the software component, and the error influence and propagation mechanism of the transaction-level behavior of the hardware component are not modeled. However, in a practical application scenario, the influence of hardware failure on the reliability of the system is not negligible, so in the embedded system reliability analysis, it is very necessary to comprehensively consider the error behaviors of software and hardware and the mutual influence thereof, and analyze the reliability of the whole system. AADL is widely applied to embedded system modeling, is a good modeling language, can establish a framework model for a system, provides rich attribute description capability for components and has the characteristic of appendix extension, so that a transaction-level error model aiming at hardware components can be extended through the characteristic of appendix extension, and software and hardware integrated reliability modeling is completed by combining the error model of AADL, and on the basis, a software and hardware integrated reliability evaluation method is provided.
Abbreviations
HCEM (hardware component transfer Level Error Model): hardware component transaction-level error model
TEM (Transmission Module Error Model): transaction Unit error model
EIT (Error Input Transition): error downward propagation dependencies
EOT (Error Output Transition): error propagation up dependencies
Disclosure of Invention
Technical problem to be solved
In order to overcome the problem that the existing AADL reliability analysis-based hardware component part is not considered sufficiently, the invention provides an AADL model software and hardware comprehensive reliability evaluation method based on a Generalized Stochastic Petri Network (GSPN).
Technical scheme
A software and hardware integrated AADL model reliability assessment method based on a generalized stochastic Petri network is characterized by comprising the following steps
Step 1: and designing an AADL architecture model for the system according to the system specification, and designing an error model for the architecture model according to the reliability requirement, wherein the error model comprises a software error model and a HCEM (hybrid computer aided engineering) to obtain an AADL reliability model with a hierarchical structure.
And 2, step: converting the AADL software component error model to a GSPN model of the software component.
And 3, step 3: converting the basic model elements contained in HCEM of AADL into the elements in the GSPN model, wherein the conversion method and the conversion sequence are as follows:
step 3-1: for one of the TEMs in the HCEM, the error state in the TEM is translated to a location in the GSPN model and the initial error state in the TEM is translated to a location identified in the GSPN model. The error event that caused the transition trigger in the TEM is then converted to a transition in the GSPN model, transitions between error states in the TEM are converted to position-to-transition arcs and to position-to-arc. Wherein for error events obeying a fixed probability distribution, they are converted into transient transitions in the GSPN model, and for error events obeying a Poisson distribution, they are converted into time transitions in the GSPN model.
Step 3-2: converting the EIT in the TEM, retrieving the transition according to whether the triggering event defining the transition in the TEM refers to the EIT, and skipping the step if all the transitions in the TEM do not refer to the EIT; if the EIT event is referenced by a transition, the name and the error type of the EIT are extracted and converted into a transition in the GSPN model, which indicates that the error state of the transaction unit is changed under the influence of an external error.
Step 3-3: the method comprises the steps of converting an EOT in a TEM (transmission enhanced dielectric) into a temporary position p 'representing transaction unit error output, and representing EOT delayed migration t', converting a transition from a source error state to an error event defined in the EOT into an arc with a position pointing to the migration t 'and an arc with a position pointing to the temporary position p' by the migration t ', and simultaneously establishing a forbidden arc pointing to the migration t' from the temporary position p ', wherein the forbidden arc ensures that only one token is transferred to the next position in the transition section each time, and finally adding an arc pointing to the initial position in the transaction unit by the migration t', which represents that the state of the transaction unit is reset to the initial state after the transaction unit is erroneously transferred to the next unit.
Step 3-4: traversing all the transaction units in the HCEM, if the next transaction unit exists, returning to the step 1, and converting the basic model elements of the next transaction unit. And if no next transaction unit exists, the step 3-5 is executed to finish the basic model elements contained in all the transaction units in the HCEM.
Step 3-5: and if other hardware components in the architecture model define the HCEM, executing the step 3-1 to the step 3-4 to convert the basic model elements in the other hardware components HCEM, and otherwise executing the step 4.
And 4, step 4: each action in the hardware component can be described as a functional transaction unit, the connection sequence between the transaction units in the HCEM is determined according to the relationship of data flow and control flow inside the hardware component, and the predecessor successor relationship of each transaction unit in the HCEM is determined on the basis of the connection sequence. When the transaction unit A has no predecessor transaction unit and only successor transaction unit, then the transaction unit A is the starting transaction unit. When the transaction unit A has both a predecessor transaction unit and a successor transaction unit, the transaction unit A is an intermediate transaction unit; when the transaction unit A has a predecessor transaction unit and no successor transaction unit, then the transaction unit A is an endpoint transaction unit. On the basis, the error propagation relation in the AADL transaction-level error model is converted, and the conversion method and the conversion sequence are as follows:
step 4-1: when the transaction unit is an originating transaction unit, matching of error propagation relationships in the transaction unit is skipped because no EOT of a predecessor transaction unit matches the EIT of the current transaction unit.
Step 4-2: when the transaction unit is an intermediate transaction unit or an end-point transaction unit, extracting the error type In _ type allowed to be transmitted by EIT In the current transaction unit, finding Out all the error types Out _ type allowed to be transmitted by EOT In the previous transaction unit according to the connection relation between the transaction units, comparing the error types Out _ type with In _ type, and if the error types are consistent, establishing a bidirectional arc for connecting a temporary position p corresponding to EOT of the last transaction unit 1 Migrating corresponding to the current EIT, and then adding a transient migration q 1 Establishing a temporary position p 1 Pointing to transient migration q 1 Last established to point to the instantaneous transition q from the target location in the EOT transition and the target location in the current EIT transition 1 For absorbing redundant tokens to ensure that errors are not passed outRepeating the transferring; if the error types are all inconsistent, matching is not carried out, and the transaction unit is skipped;
step 4-3: traversing all transaction units in the HCEM, if the transaction unit is an initial transaction unit, executing the step 4-1, otherwise, executing the step 4-2. And after finishing the judgment of all the transaction units in the hardware component, judging whether other HCEM are defined in the architecture model, if so, returning to the step 4 to carry out the conversion of the error propagation relation on the next hardware component, otherwise, entering the step 5.
And 5: the method comprises the following steps of converting the connection relations between a starting transaction unit and an end transaction unit in the HCEM and other hardware components and software components in an architecture model, and specifically:
step 5-1: referring to the error propagation direction defined by error propagation path in the system error model, if the error propagation direction is from the BUS to the hardware component, the end transaction unit of the hardware component is matched with the start transaction unit of the BUS component. The type of error In _ type allowed to be passed In by the EIT of the starting transaction unit In the BUS is extracted and converted into a migration In the GSPN model for receiving the error passed In from the hardware component, which indicates that the error state of the transaction unit In the BUS is changed In the case of receiving an external error input. Extracting an error type Out _ type allowed to be transmitted by EOT In an end point transaction unit In the hardware component, comparing the error type Out _ type with In _ type, and if the error types are consistent, establishing a bidirectional arc for connecting a temporary position p corresponding to the EOT of the BUS end point transaction unit 2 Migrating corresponding to the initial transaction unit EIT of the hardware component, and then adding a transient migration q 2 Establishing a temporary position p 2 Pointing to transient migration q 2 Last established to point to the instantaneous transition q from the target location in the EOT transition and the target location in the current EIT transition 2 Two forbidden arcs.
Step 5-2: if the error propagation direction is from the BUS to the hardware member, the starting transaction unit of the hardware member is matched with the ending transaction unit of the BUS member. Extracting the error type In _ type allowed by EIT In the hardware component initial transaction unit, and converting the error type into a migration In the GSPN modelThe error for BUS transfer indicates that the error status of the transaction unit has changed in the event that an incoming error input is received. Extracting an error type Out _ type allowed to be transmitted by EOT In the end point transaction unit of the BUS, comparing the error type Out _ type with In _ type, if the error types are consistent, establishing a bidirectional arc for connecting a temporary position p corresponding to the EOT of the end point transaction unit of the hardware component B 3 Migrating corresponding to the initial transaction unit EIT of the hardware component, and then adding a transient migration q 3 Establishing a temporary position p 3 Pointing to transient migration q 3 Last established to point to the instantaneous transition q from the target location in the EOT transition and the target location in the current EIT transition 3 Two forbidden arcs.
Step 5-3: and finding all the software components bound to the hardware component through the binding relationship, establishing a software component list, selecting a first item in the list, and entering the step 5-3.
Step 5-4: according to the name of the selected software component, finding the error behavior state machine defined in the error model of the software component, finding the event h that the hardware affects the software component according to the content in the error behavior state machine, and simultaneously finding the GSPN transition q corresponding to the event 4 Using a bidirectional arc to transfer q 4 Position p converted from EOT of hardware end point transaction unit 4 Connected, the representative hardware component communicates the error to the software component. Searching the transition taking the event h of the influence of the hardware on the software component as the trigger condition in the error model of the current software component, and finding the position p corresponding to the target state in the GSPN model in the transition 5 Migrating q with a point 4 Is connected to the position p 5 To prevent the current transition from being triggered multiple times when it has been triggered and not repaired. Adding a transient migration q 5 Establishing a temporary position p 4 Pointing to transient migration q 5 Last establishing the position of the transition from the target state of the transition defined in the EOT and the predecessor position of the event h in the software component pointing to the instantaneous transition q 5 For absorbing the boundary transaction unit location p 4 The redundant token prevents the fault in the hardware component from repeatedly acting on the software component to cause the failure of the repair function in the software component.
Step 5-5: and (3) selecting the next software component from the component list in the step (5-2), and repeating the step (5-3) until all the software components in the list complete the conversion of the binding relationship, so as to obtain a GSPN model combined by the GSPN submodel of the hardware component error model and the GSPN submodel of the software component error model. And step five, configuring migration parameters for the GSPN model according to the attribute parameters of the source model.
And 6: and extracting the probability attributes of the error events in the error model and transaction-level error model attribute set, assigning the probability attributes to the probability attributes of corresponding migration of each event in the GSPN model, and finally obtaining the complete and computable GSPN model integrating software and hardware. And calling a GSPN calculation tool to perform stable probability distribution calculation on the GSPN reliability calculation model integrated by software and hardware, and obtaining probability values of the system in different states under the set parameters when performing one-time calculation.
And 7: selecting certain states in the source model as an examination object, simultaneously selecting an error event in the source model, when the occurrence probability of the error event is gradually changed from an initial value by a fixed step length, repeatedly executing the calculation process in the step 6 to obtain the reliability probability values of the system under different occurrence probabilities of the error event, recording the reliability probability values, displaying the results in multiple modes through a two-dimensional line graph, a bar graph and a probability corresponding table, and finally obtaining the change rule of the system reliability under the influence of the error event. And completing the comprehensive reliability evaluation of software and hardware.
Advantageous effects
The invention provides a software and hardware integrated AADL model reliability assessment method based on a generalized stochastic Petri network, which comprises the steps of firstly, establishing a software and hardware integrated reliability model by using AADL, wherein the software and hardware integrated reliability model comprises a system architecture model, a software error model and HCEM; secondly, establishing a conversion rule from the HCEM to the GSPN model, and realizing an automatic conversion method, wherein the HCEM is converted into the GSPN model; meanwhile, the method integrates a conversion method from a software reliability model to a GSPN model, so that a software error model can be converted into the GSPN model, and on the basis, the GSPN model obtained by HCEM conversion and the GSPN model obtained by software error model conversion are combined to form a software and hardware comprehensive reliability calculation model. And finally, calculating the GSPN model by means of a GSPN calculation tool, and analyzing the calculation result, thereby completing the comprehensive reliability evaluation of software and hardware.
Because a new model conversion rule is formulated, and a conversion method from a software reliability model to a GSPN model is integrated on the basis, the method can respectively convert a software error model and a HCEM (hybrid communication entity) into the GSPN model, and model components which can be converted by the HCEM comprise transition caused by error propagation among transaction units of hardware components and transition caused by error propagation relation of the hardware errors to other components, so that the GSPN submodel obtained by conversion of the HCEM model can describe error propagation rules in the hardware components in more detail, and is finally compounded with the GSPN model obtained by conversion of the software error model, thereby obtaining a system reliability calculation model which is comprehensive of software and hardware, and enabling the calculated system reliability probability to be more in line with actual conditions.
Drawings
FIG. 1 is a flow chart of an embodiment of the method of the present invention;
FIG. 2 is an embedded computing system architecture diagram of an embodiment of the present invention;
FIG. 3 is a diagram of the connections between transaction units in the processor hardware components, the memory hardware components, and the bus hardware components;
FIG. 4 is a GSPN model element converted from thread thdA component and thread thdB component error models;
FIG. 5 is a GSPN model element converted by an error state machine of a transaction unit inside a GPM of a processor in the system according to the embodiment of the present invention;
FIG. 6 is a diagram illustrating migration resulting from EIT translation of an error introduction event of a GPM internal transaction unit of a processor in a system according to an embodiment of the present invention;
FIG. 7 is a GSPN model obtained by EOT conversion of an error outgoing event of a transaction unit inside a GPM of a processor in the system according to the embodiment of the present invention;
fig. 8 shows GSPN model elements obtained by converting basic model elements in the internal transaction unit of the memory MEM according to the embodiment of the present invention;
FIG. 9 is a GSPN model element converted from a basic model element in a transaction unit inside a Bus in the system according to the embodiment of the present invention;
FIG. 10 shows a GSPN model obtained by converting the error propagation relationship between transaction units inside the GPM of the processor in the system according to the embodiment of the present invention;
fig. 11 shows that the error propagation relationship between the internal transaction units of the memory MEM is converted to obtain the GSPN model in the system according to the embodiment of the present invention;
FIG. 12 is a GSPN model obtained by converting the error propagation relationship between the Bus internal transaction units in the system according to the embodiment of the present invention;
FIG. 13 is a GSPM model obtained by conversion of access relationships between the processor GPM and the Bus in the system according to the embodiment of the present invention;
fig. 14 is a GSPM model obtained by converting an access relationship between the memory MEM and the Bus in the system according to the embodiment of the present invention;
FIG. 15 shows a GSPN model transformed from the binding relationship between threads thdA and thdB and a processor GPM in the system according to the embodiment of the present invention;
FIG. 16 is a computable GSPN model resulting from a software and hardware integrated reliability model conversion;
FIG. 17 is a diagram illustrating the comprehensive reliability evaluation result of software and hardware in the system according to the embodiment of the present invention.
Detailed Description
The invention will now be further described with reference to the following examples and drawings:
referring to fig. 1, the invention provides a method for evaluating the comprehensive reliability of software and hardware of an AADL (architecture analysis and design language) model based on a generalized stochastic Petri network, which is based on an AADL architecture model with a hierarchical structure, establishes an error model of HCEM (hardware control entity) of an AADL hardware component and a software component, and establishes a new model conversion method from the AADL software and hardware comprehensive reliability model to a GSPN (global system for software and noise protection) model. Firstly, establishing an architecture model based on AADL, and establishing an appendix model for the architecture model by using a software error model appendix and a hardware transaction-level error model appendix to form an AADL software and hardware comprehensive reliability model of the system; and then establishing conversion rules from HCEM to GSPN, respectively converting the HCEM and the software error model of AADL into GSPN models according to the conversion rules, compounding the obtained GSPN submodel of the hardware component and the GSPN submodel of the software component into a GSPN model of the software and hardware integration of the system, and calculating the GSPN model of the software and hardware integration by means of a GSPN calculation tool to complete the reliability evaluation of the software and hardware integration.
1: referring to fig. 2: example an off-board replaceable module (LRM) embedded computing system was used as the target system for implementing the AADL model reliability assessment method for software and hardware integration. The system is named as LRMexample, is a multitask computing system based on a single-processor hardware computing platform, and an AADL architecture model is built according to requirements, wherein the AADL architecture model comprises a system component representing a target system, a processor component, a bus component, a memory component and two system process components, and each process comprises a thread component (thdA and thdB) representing a system task. Data is transmitted between the thread thdA and the thread thdB through port connection; the processor and the memory are connected through bus access, and the two threads are connected with the processor through a binding relation.
1.2: referring to fig. 3, the error model of the LRMExample system software is first built using the AADL's error model annex sub-language. Then, a transaction-level error behavior model is established for the GPM in the LRMexample system by using the annex sublanguage of the transaction-level error model, and a simple processor component can perform functional simulation by using three transaction units, which are respectively: a bus interface BIU, an instruction decoder IDecoder and an instruction execution unit IExecutor. Firstly, a bus interface BIU of a processor generates a next instruction address, an instruction acquisition execution process is started, before instruction fetching, whether the instruction address is wrong or not needs to be judged, if the instruction address is an illegal address, transaction rollback is required, the address is recalculated, if the instruction address is other errors, the error is thrown to an IDecoder transaction unit, the error causes an error state machine inside the IDecode unit to be migrated from an initial state to other states, when the error state machine inside the IDecode unit is migrated to a final state, the IDecoder unit can continuously transmit error information to a successor IExecutor of the IDecode unit, so that the error state machine inside the IExecutor unit is triggered, and when the error state machine inside the IExecutor unit is migrated to a final state, an error transmitted from the IExecutor unit is transmitted to a software component of a system, so that the transmission behavior of the error between hardware and the software components needs to be described. After the processor completes the task processing, the operation result needs to be transmitted to the memory component for storage, so the data communication connection established between the processor and the memory component through the bus and the process of data storage inside the memory need to be described. The above contents are completed, the transaction-level error model modeling of the hardware component is also completed, and then the software component error model and the AADL architecture model are combined to form the integrated reliability model of the embedded computing system software and hardware.
2: referring to fig. 4, in the AADL reliability model of the embedded computing system, components including a software error model, namely a thread thdA and a thread thdB, convert each element in the error model into an element of a GSPN model.
3: the components including the transaction-level error model are the processor GPM, the memory MEM and the Bus, and the basic model elements included in the hardware component HCEM are converted into the elements in the GSPN model, because there are many hardware components involved and the conversion method of the basic model elements is basically the same, only the conversion rule of the transaction-level error model of the processor GPM will be described in detail herein, and the conversion method and the conversion sequence are as follows:
3.1: referring to fig. 5, the error states contained in the transaction unit error model of BIU, IDecoder and IExecutor in the processor building GPM are translated to locations in the GSPN model, where the initial state is translated to a location with one token. Converting error events contained in event fields in the transaction unit error model into migration in the GSPN model, defining migration types according to description of the event types in the model, converting events which obey Poisson distribution into delay migration in the GSPN, and converting events which obey fixed probability distribution into instant migration in the GSPN. On the basis, the error transition in the transaction unit error model is converted into position-to-migration arcs and position-to-arc arcs.
3.2: referring to fig. 6: the EIT in the transaction unit error model is then translated, retrieving the trigger events in the state transitions in the BIU transaction unit where the EIT is not referenced, so for the BIU transaction unit, the step of EIT translation is skipped. Retrieving a trigger event in a state transition in an idecorder transaction element using an event named eitideInvalidInst defined in the EIT, so converting the EIT to a migration named "idecorder.
3.3: referring to fig. 7: the error types errInvalidInst, errfaultalitininst allowed to propagate in the EOT of the transaction unit BIU are extracted and converted into the specifically named "OUT" delayed migration "BIU. Then an arc is created that is migrated from "biu. Esbiu" pointing to "biu. Erinvalidinst. Out" and "biu. Erinvalidinst. Out" pointing to "biu. Erinvalidinst. Out _ copy" position, an arc is created that is migrated from "biu. Esbiu" pointing to "biu. Erfallidinst. Out" and "biu. Erfalldinst. Out" pointing to "biu. Erinvalidt. Out _ copy" position, and then a forbidden arc from "biu. Erinvalidinst. Out" pointing to "biu. Erfalldinst. Out" and an arc from "biu. Erfalldinst. Out _ copy" pointing to "biu. Erfalldinst. Outjcopy" are added to ensure that there is only one transition to "position in the transition section and that there is only one transition to the next transition. And finally, adding an arc pointing to the state of the BIU initial position BIU.S. BIU by the BIU.S. InvalId Inst.OUT and the BIU.S. ErFaultInst.OUT to ensure that the BIU unit is reset to the initial state after the error is transmitted out. The same applies to the EOT in idecorder and IExecutor.
3.4: referring to fig. 8, the conversion of the basic elements of the model is performed on the HCEM in the memory hardware means MEM.
3.5: referring to fig. 9, the conversion of model basic elements is performed for the HCEM in the Bus hardware component Bus. After completion, step 4 is performed.
4: after all basic model elements in the transaction units contained in the hardware component are converted into GSPN models, the predecessor and successor relations of the transaction units are determined according to the connection relations among the transaction units, and on the basis, the error propagation relation in the HCEM is converted, wherein the conversion steps are as follows:
4.1: for the processor hardware component GPM, BIU is the processor starting transaction unit, and for EIT in BIU transaction unit, there is no EOT match, so the translation of the transaction unit to the error propagation relationship is skipped.
4.2: referring to fig. 10: traversing the transaction unit in the hardware component HCEM of the GPM processor, IDecoder is an intermediate transaction unit, and the EIT of the intermediate transaction unit allows the transmission of an errInvalidInst error type. The method comprises the steps that a predecessor transaction unit of the IDecoder is a BIU, error types of the ERrInvalidInst and the ERFaultInst transmitted by an EOT of the BIU are extracted, the EIT of the IDecoder is matched with the EOT of the error types of the ERrInvalidInst transmitted by the EOT of the BIU through error type comparison, a bidirectional arc is used for connecting the' BIU. The IExecutor is an end point transaction unit, firstly, an error type errFaultInst allowed to be transmitted by an EIT in the IExecutor is extracted, a predecessor transaction unit of the IExecutor is an IDecoder, an error type errFaultInst allowed to be transmitted by an EOT in the IDecoder is extracted, the error type is consistent with the error type allowed to be transmitted by the EIT in the IExecutor, so the EIT is matched with the EOT in the predecessor unit, a bidirectional arc is used for connecting the "IDecoder. Therefore, the conversion of the error propagation relation in the GPM hardware component HCEM is completed.
4.3: for MEM hardware components, ADecoder is the starting transaction unit of memory, for EIT in ADecoder, no EOT matches it, so the translation of the transaction unit to the error propagation relationship is skipped.
4.4: referring to fig. 11, traversing the transaction units in the MEM hardware component HCEM, where banks is an end-point transaction unit, first extracts the error type errfaultadress that EIT in banks allows incoming, and then extracts the error type that EOT in the predecessor transaction unit ADecoder allows outgoing, as errfaultadress, whose error type is consistent with the error type that EIT in banks allows incoming, so this EIT is to be matched with EOT in predecessor units, connecting an extra arc pointing to "errfaultadress" by "ADecoder. Thereby completing the conversion of error propagation relationships in the MEM hardware component HCEM.
4.5: for Bus hardware components, arbitrate is the starting transaction unit of a Bus, and for EIT in Arbitrate, there is no EOT match, so the conversion of the transaction unit to error propagation relationships is skipped.
4.6: referring to fig. 12, traversing transaction units in the memory Bus hardware component HCEM, where a Transfer is an end-point transaction unit, first extracting an error type errfaultlorder allowed to be transmitted by EIT in the Transfer, then extracting an error type allowed to be transmitted by EOT in the Arbitrate of a predecessor transaction unit, where the error type is consistent with the error type allowed to be transmitted by EIT in the Transfer, so the EIT is to be matched with EOT in the predecessor, connecting an arc. Therefore, the conversion of the error propagation relation in the Bus hardware component HCEM is completed.
4.7: other hardware components in the architecture model do not define HCEM, so the conversion of error propagation relationship in the hardware components is completed, and step 5 is executed.
5: and converting the connection relation between the starting transaction unit and the ending transaction unit in the HCEM of each hardware component and other components in the architecture model.
5.1: referring to fig. 13, data of the processor hardware component GPM in the error propagation path field of the processor HCEM is transferred to the Bus, so the end transaction unit of the processor GPM is matched with the start transaction unit of the Bus. Extracting the type of error, errFaultData, allowed to be transmitted in EIT of a Bus component initial transaction unit, converting the type of error into migration named as ' Arbitrate. ErrFaultData.IN ', extracting the type of error allowed to be transmitted by a processor component GPM end point transaction unit, errFaultData, consistent with the type of error allowed to be transmitted in the Bus, establishing a bidirectional arc, connecting the positions ' IExecuter. ErrFaultData.OUT _ copy ' and migration ' Arbitrate. ErrFaultData ', adding a transient migration named ' errFaultData ', establishing an arc pointed to ' errFaultData ' by ' IEculator. ErbaultData.OUT _ copy ', and finally establishing an error pointed to ' erbaultData ' by ' arbita.
5.2: referring to fig. 14, since data in the error propagation path field of the memory MEM is transferred to the memory hardware component MEM via the BUS component, the end transaction unit of the BUS is matched with the start transaction unit of the MEM. The method comprises the steps of extracting an error type errFaultaddress allowed in EIT of an initial transaction unit ADecoder of the memory means MEM, converting the error type errFaultaddress allowed in EIT of the initial transaction unit ADecoder into a migration named "ADecoder.
5.3: and finding the software components bound on the GPM of the processor as threads thdA and thdB according to the Binding information in the architecture model.
5.4: referring to fig. 15, a software error model is defined in a thread thdA, an event pfailed1 is defined in an error behavior state machine of the software error model, the event is defined as a trigger event that a processor component has an influence on the thread thdA, the event is converted into pfailed1 migration in a GSPN model, and a bidirectional arc is used to connect temporary positions "IExecutor error fault data. Then find the target position "thdA. Faulted 2" of the pfailed1, connect the two with a forbidden arc pointing from the position "thdA. Faulted 2" to the migration "pfailed 1". Finally, a transient migration "Tx" is generated, an arc is used to connect "iexecutor errfaultdata.out _ copy" with the transient migration "Tx", and then a forbidden arc pointed to the migration "Tx" by "iexecutor.esexprop" and a forbidden arc pointed to the migration "Tx" by "thda. The software bound on the CPU components also has a thdB thread, and converts the model elements contained in the thdB thread and the connection relation between the thdB thread and the GPM.
6: referring to fig. 16, at this time, conversion of all models is completed, attribute information in software error models and properties in HCEM is extracted, a probability value of each error event is assigned to a GSPN migration corresponding to the error event, and finally a computable GSPN model corresponding to a software and hardware comprehensive reliability model is obtained.
7: referring to fig. 17, a GSPN calculation tool is called, an errorfree state of the system is selected as a check object, an eitidinvalid inst event in a processor component GPM is selected as an argument, when the occurrence probability of the event gradually changes from 0 to 1 by a step size of 0.1, a probability value corresponding to the errorfree state of the system is obtained, a change rule curve, a histogram and a probability table of the system reliability under the influence of the eiidid invalid inst event are obtained, and finally, the reliability evaluation of software and hardware synthesis is completed.

Claims (3)

1. A software and hardware integrated AADL model reliability assessment method based on a generalized stochastic Petri network is characterized by comprising the following steps:
step 1: designing an AADL architecture model for a system according to a system specification, and designing an error model for the architecture model according to reliability requirements, wherein the error model comprises a software error model and a HCEM (hybrid computer aided engineering) to obtain an AADL reliability model with a hierarchical structure;
step 2: converting the AADL software component error model into a GSPN model of the software component;
and step 3: converting basic model elements contained in HCEM of AADL into elements in GSPN model;
and 4, step 4: each behavior in the hardware component can be described as a functional transaction unit, the connection sequence between the transaction units in the HCEM is determined according to the relationship between the internal data flow and the internal control flow of the hardware component, and the precursor successor relationship of each transaction unit in the HCEM is determined on the basis; when the transaction unit A has no precursor transaction unit and only has a subsequent transaction unit, the transaction unit A is an initial transaction unit; when the transaction unit A has both a precursor transaction unit and a successor transaction unit, the transaction unit A is an intermediate transaction unit; when the transaction unit A has a precursor transaction unit and has no successor transaction unit, the transaction unit A is an end-point transaction unit; on the basis, the error propagation relation in the AADL transaction-level error model is converted
And 5: the method comprises the following steps of converting the connection relations between a starting transaction unit and an end transaction unit in the HCEM and other hardware components and software components in an architecture model, and specifically:
step 5-1: referring to an error propagation direction defined by an error propagation path in a system error model, if the error propagation direction is from a BUS to a hardware component, matching an end transaction unit of the hardware component with an initial transaction unit of the BUS component; extracting an error type In _ type allowed to be transmitted by an EIT (initial transaction Unit) In the BUS, converting the type into a migration In a GSPN (generalized global system for network protection) model, and receiving an error transmitted from a hardware component, wherein the error state of the EIT In the BUS is changed under the condition that an external error input is received; extracting an error type Out _ type allowed to be transmitted by EOT In an end point transaction unit In the hardware component, comparing the error type Out _ type with In _ type, and if the error types are consistent, establishing a bidirectional arc for connecting a temporary position p corresponding to EOT of a BUS end point transaction unit 2 Migrating corresponding to the initial transaction unit EIT of the hardware component, and then adding a transient migration q 2 Establishing a temporary position p 2 Pointing to transient migration q 2 Last established to point to the instantaneous transition q from the target location in the EOT transition and the target location in the current EIT transition 2 Two forbidden arcs of (1);
step 5-2: if the error propagation direction is from the BUS to the hardware member, matching the starting transaction unit of the hardware member with the ending transaction unit of the BUS member; extracting an error type In _ type allowed to be transmitted by EIT In a transaction unit initiated by a hardware component, converting the error type In _ type into a migration In a GSPN model, wherein the migration is used for a BUS transmitted error and indicates that the error state of the transaction unit is changed under the condition of receiving an external error input; extracting an error type Out _ type allowed to be transmitted by EOT In the end point transaction unit of the BUS, comparing the error type Out _ type with In _ type, if the error types are consistent, establishing a bidirectional arc for connecting a temporary position p corresponding to the EOT of the end point transaction unit of the hardware component B 3 Migrating corresponding to the initial transaction unit EIT of the hardware component, and then adding a transient migration q 3 Establishing a temporary position p 3 Pointing to transient migrationq 3 Last established to point to the instantaneous transition q from the target location in the EOT transition and the target location in the current EIT transition 3 Two forbidden arcs of (1);
step 5-3: finding all software components bound to the hardware component through the binding relationship, establishing a software component list, selecting a first item in the list, and entering the step 5-3;
step 5-4: according to the name of the selected software component, finding the error behavior state machine defined in the error model of the software component, finding the event h that the hardware affects the software component according to the content in the error behavior state machine, and simultaneously finding the GSPN transition q corresponding to the event 4 Using a bidirectional arc to migrate q 4 Position p converted from EOT of hardware end point transaction unit 4 Connected, communicating the error to the software component on behalf of the hardware component; searching the transition taking the event h of the influence of the hardware on the software component as the trigger condition in the error model of the current software component, and finding the position p corresponding to the target state in the GSPN model in the transition 5 Migrating q with a point 4 Is connected to the position p 5 To prevent the current transition from being triggered multiple times when it has been triggered and not repaired; adding a transient migration q 5 Establishing a temporary position p 4 Pointing to transient migration q 5 Last establishing the position of the transition from the target state of the transition defined in the EOT and the predecessor position of the event h in the software component pointing to the instantaneous transition q 5 For absorbing the boundary transaction unit location p 4 The redundant token prevents the fault in the hardware component from repeatedly acting on the software component to cause the failure of the repair function in the software component;
step 5-5: selecting the next software component from the component list in the step 5-2, and repeating the step 5-3 until all the software components in the list complete the conversion of the binding relationship, so as to obtain a GSPN model combined by a GSPN submodel of the hardware component error model and a GSPN submodel of the software component error model; step five, configuring migration parameters for the GSPN model according to the attribute parameters of the source model;
step 6: extracting the probability attributes of the error events in the error model and transaction-level error model attribute set, assigning the probability attributes to the probability attributes of corresponding migration of each event in the GSPN model, and finally obtaining a complete and computable GSPN model integrating software and hardware; calling a GSPN calculation tool to perform stable probability distribution calculation on a software and hardware integrated GSPN reliability calculation model, and obtaining probability values of the system in different states under set parameters when performing primary calculation;
and 7: selecting certain states in the source model as examination objects, selecting an error event in the source model, repeatedly executing the calculation process in the step 6 when the occurrence probability of the error event is gradually changed from an initial value by a fixed step length to obtain the reliability probability values of the system under the conditions of different occurrence probabilities of the error event, recording the reliability probability values, displaying the results in various modes through a two-dimensional line graph, a bar graph and a probability corresponding table, and finally obtaining the change rule of the system reliability under the influence of the error event; and completing the comprehensive reliability evaluation of software and hardware.
2. The AADL model reliability assessment method based on generalized stochastic Petri network software and hardware synthesis as claimed in claim 1, wherein the conversion method and conversion sequence in step 3 are as follows:
step 3-1: for one of the HCEM's, converting an error state in the TEM to a location in the GSPN model and converting an initial error state in the TEM to a location with an identification in the GSPN model; then converting an error event causing transition triggering in the TEM into a transition in the GSPN model, and converting the transition between error states in the TEM into an arc from a position to the transition and an arc from the position to the transition; wherein, for error events obeying fixed probability distribution, the error events are converted into transient migration in the GSPN model, and for error events obeying Poisson distribution, the error events are converted into time migration in the GSPN model;
step 3-2: converting the EIT in the TEM, retrieving the transition according to whether the triggering event defining the transition in the TEM refers to the EIT, and skipping the step if all the transitions in the TEM do not refer to the EIT; if the EIT event is referenced by the transition, extracting the name and the error type of the EIT, converting the EIT into one of the transitions in the GSPN model, and indicating that the error state of the transaction unit is changed under the influence of an external error;
step 3-3: the method comprises the steps of converting an EOT in a TEM (transmission enhanced dielectric indicator), converting the EOT into a temporary position p 'representing error output of a transaction unit and an EOT delay migration t', converting a transition from a source error state to an error event defined in the EOT into an arc with the position pointing to the migration t 'and an arc with the migration t' pointing to the temporary position p ', and simultaneously establishing a forbidden arc pointing to the migration t' from the temporary position p ', wherein the forbidden arc ensures that only one token is transmitted to the next position in the transition every time, and finally adding an arc pointing to the initial position in the transaction unit from the migration t', which represents that the state of the transaction unit is reset to the initial state after the transaction unit is transmitted to the next unit in error;
step 3-4: traversing all transaction units in the HCEM, if a next transaction unit exists, returning to the step 1, and converting basic model elements of the next transaction unit; if no next transaction unit exists, the basic model elements contained in all the transaction units in the HCEM are completed, and the step 3-5 is executed;
step 3-5: and if other hardware components in the architecture model define the HCEM, executing the step 3-1 to the step 3-4 to convert the basic model elements in the other hardware components HCEM, and otherwise executing the step 4.
3. The AADL model reliability assessment method based on generalized stochastic Petri network software and hardware synthesis as claimed in claim 1, wherein the conversion method and the conversion sequence in step 4 are as follows:
step 4-1: when the transaction unit is an initial transaction unit, because the EOT of no predecessor transaction unit is matched with the EIT of the current transaction unit, the matching of the error propagation relation in the transaction unit is skipped;
step 4-2: when the transaction unit isWhen an intermediate transaction unit or an end transaction unit is used, extracting the error type In _ type allowed to be transmitted by EIT In the current transaction unit, finding Out all the error types Out _ type allowed to be transmitted by EOT In a predecessor transaction unit according to the connection relation between the transaction units, comparing the error types Out _ type with In _ type, and if the error types are consistent, establishing a bidirectional arc for connecting a temporary position p corresponding to EOT of the previous transaction unit 1 Migrating corresponding to the current EIT, and then adding a transient migration q 1 Establishing a temporary position p 1 Pointing to transient migration q 1 Last established to point to the instantaneous transition q from the target location in the EOT transition and the target location in the current EIT transition 1 The two forbidden arcs are used for absorbing redundant tokens to ensure that errors cannot be repeatedly transmitted when the errors are transmitted out; if the error types are all inconsistent, matching is not carried out, and the transaction unit is skipped;
step 4-3: traversing all transaction units in the HCEM, if the transaction units are initial transaction units, executing the step 4-1, otherwise executing the step 4-2; and after finishing the judgment of all the transaction units in the hardware component, judging whether other HCEM are defined in the architecture model, if so, returning to the step 4 to carry out the conversion of the error propagation relation on the next hardware component, otherwise, entering the step 5.
CN202010891607.9A 2020-08-31 2020-08-31 Software and hardware integrated AADL (architecture analysis and design language) model reliability evaluation method based on generalized stochastic Petri network Active CN112100062B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010891607.9A CN112100062B (en) 2020-08-31 2020-08-31 Software and hardware integrated AADL (architecture analysis and design language) model reliability evaluation method based on generalized stochastic Petri network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010891607.9A CN112100062B (en) 2020-08-31 2020-08-31 Software and hardware integrated AADL (architecture analysis and design language) model reliability evaluation method based on generalized stochastic Petri network

Publications (2)

Publication Number Publication Date
CN112100062A CN112100062A (en) 2020-12-18
CN112100062B true CN112100062B (en) 2023-01-17

Family

ID=73756682

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010891607.9A Active CN112100062B (en) 2020-08-31 2020-08-31 Software and hardware integrated AADL (architecture analysis and design language) model reliability evaluation method based on generalized stochastic Petri network

Country Status (1)

Country Link
CN (1) CN112100062B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101901186A (en) * 2010-07-08 2010-12-01 西北工业大学 Embedded system reliability analysis and evaluation method
CN101986268A (en) * 2010-11-18 2011-03-16 西北工业大学 Method for transforming reliable model into GSPN model based on AADL description
CN106874200A (en) * 2017-02-14 2017-06-20 南京航空航天大学 Embedded software reliability modeling and appraisal procedure based on AADL
CN108376221A (en) * 2018-02-27 2018-08-07 哈尔滨工业大学 A kind of software system security verification and appraisal procedure based on AADL model extensions
CN108595959A (en) * 2018-03-27 2018-09-28 西北工业大学 AADL model safety appraisal procedures based on certainty stochastic Petri net

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070288885A1 (en) * 2006-05-17 2007-12-13 The Mathworks, Inc. Action languages for unified modeling language model
US8468006B2 (en) * 2009-06-24 2013-06-18 Airbus Operations S.A.S. Method of combined simulation of the software and hardware parts of a computer system, and associated system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101901186A (en) * 2010-07-08 2010-12-01 西北工业大学 Embedded system reliability analysis and evaluation method
CN101986268A (en) * 2010-11-18 2011-03-16 西北工业大学 Method for transforming reliable model into GSPN model based on AADL description
CN106874200A (en) * 2017-02-14 2017-06-20 南京航空航天大学 Embedded software reliability modeling and appraisal procedure based on AADL
CN108376221A (en) * 2018-02-27 2018-08-07 哈尔滨工业大学 A kind of software system security verification and appraisal procedure based on AADL model extensions
CN108595959A (en) * 2018-03-27 2018-09-28 西北工业大学 AADL model safety appraisal procedures based on certainty stochastic Petri net

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
利用广义随机Petri网分析软件系统可靠性;雷军环;《计算机测量与控制》;20130225(第02期);全文 *
基于AADL的失效概率分配及安全性评估方法;魏晓敏等;《软件学报》;20200608(第06期);全文 *
基于GSPN的机载构件化软件系统可靠性测试方法;孙科等;《电子设计工程》;20170905(第17期);全文 *

Also Published As

Publication number Publication date
CN112100062A (en) 2020-12-18

Similar Documents

Publication Publication Date Title
CN108376221B (en) Software system security verification and evaluation method based on AADL (architecture analysis and design language) model extension
US7941771B2 (en) Method for functional verification of an integrated circuit model for constituting a verification platform, equipment emulator and verification platform
Tripakis Bridging the semantic gap between heterogeneous modeling formalisms and FMI
Joshi et al. Automatic generation of static fault trees from AADL models
Rugina et al. The ADAPT tool: From AADL architectural models to stochastic petri nets through model transformation
Bondavalli et al. Automated dependability analysis of UML designs
Gardey et al. Using zone graph method for computing the state space of a time Petri net
CN110489812B (en) Multilayer-level netlist processing method and device, computer device and storage medium
CN113282492A (en) Operating system kernel formal verification method
US7203631B2 (en) System and method to analyze VLSI designs
Rugina et al. An architecture-based dependability modeling framework using AADL
CN112100062B (en) Software and hardware integrated AADL (architecture analysis and design language) model reliability evaluation method based on generalized stochastic Petri network
Pang et al. Automatic model generation of IEC 61499 function block using net condition/event systems
Bhaduri et al. Scalable techniques and tools for reliability analysis of large circuits
Bozzano et al. Codesign of dependable systems: a component-based modeling language
Smith et al. An environment for building a system out of its requirements
US10380295B1 (en) Methods, systems, and articles of manufacture for X-behavior verification of an electronic design
German Formal design of cache memory protocols in IBM
JP5657183B2 (en) Method and apparatus for enabling a first computer program to execute application logic of a second computer program, for interfacing the first computer program and the second computer program And apparatus for generating computer program code for the same, a computer program, and a software interface for enabling a first computer program to execute application logic of a second computer program For providing information (computer program interface)
CN116745770A (en) Method and device for synthesizing digital circuit
Khaligh et al. A metamodel and semantics for transaction level modeling
Joshi et al. Automatic generation of fault trees from AADL models
Aichernig et al. Scalable incremental test-case generation from large behavior models
Daw et al. An extensible formal semantics for UML activity diagrams
Vizovitin et al. Application of colored Petri nets for verification of scenario control structures in UCM notation

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant