CN112100062A - Software and hardware integrated AADL (architecture analysis and design language) model reliability evaluation method based on generalized stochastic Petri network - Google Patents

Software and hardware integrated AADL (architecture analysis and design language) model reliability evaluation method based on generalized stochastic Petri network Download PDF

Info

Publication number
CN112100062A
CN112100062A CN202010891607.9A CN202010891607A CN112100062A CN 112100062 A CN112100062 A CN 112100062A CN 202010891607 A CN202010891607 A CN 202010891607A CN 112100062 A CN112100062 A CN 112100062A
Authority
CN
China
Prior art keywords
error
model
transaction unit
gspn
software
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010891607.9A
Other languages
Chinese (zh)
Other versions
CN112100062B (en
Inventor
陆寅
秦树东
董云卫
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Northwestern Polytechnical University
Original Assignee
Northwestern Polytechnical University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Northwestern Polytechnical University filed Critical Northwestern Polytechnical University
Priority to CN202010891607.9A priority Critical patent/CN112100062B/en
Publication of CN112100062A publication Critical patent/CN112100062A/en
Application granted granted Critical
Publication of CN112100062B publication Critical patent/CN112100062B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/3604Software analysis for verifying properties of programs

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)
  • Stored Programmes (AREA)

Abstract

The invention relates to an evaluation method of an AADL (architecture analysis and design language) software and hardware comprehensive reliability model based on a generalized stochastic Petri network, which comprises the following steps of firstly, constructing the software and hardware comprehensive AADL reliability model; then converting basic error model elements inside the transaction unit in the transaction-level error model of the operating platform component into basic elements in the GSPN; converting the connection relation between transaction units describing the interaction of data streams inside the operating platform component; converting the connection relation between the operation platform components defined in the architecture model and the binding relation between the software components and the operation platform components; and compounding the GSPN submodel obtained by converting the system operation platform component and the GSPN submodel obtained by converting the system software component into a GSPN model integrating software and hardware of the system, calling a GSPN calculating tool on the basis, and calculating the stable probability distribution of the system to finish the reliability evaluation of the software and hardware integration.

Description

Software and hardware integrated AADL (architecture analysis and design language) model reliability evaluation method based on generalized stochastic Petri network
Technical Field
The invention relates to an AADL model reliability assessment method, in particular to a software and hardware integrated AADL model reliability assessment method.
Background
The document "a method for converting a reliability model described based on AADL into a GSPN model" proposes a model conversion method, which establishes a mapping relationship between AADL model elements and GSPN reliability model elements, and can convert basic elements and model relationships (including basic error model elements, component outward error propagation rules, component acceptance error propagation rules, dependency relationships in error models, and the like) in an error model designed by Architecture Analysis and Design Language (AADL). However, the AADL reliability model established in the implementation process of the method focuses more on the description of the behavior and error propagation mechanism of the software component, and the error influence and propagation mechanism of the transaction-level behavior of the hardware component are not modeled. However, in a practical application scenario, the influence of hardware failure on the reliability of the system is not negligible, so in the embedded system reliability analysis, it is very necessary to comprehensively consider the error behaviors of software and hardware and the mutual influence thereof, and analyze the reliability of the whole system. AADL is widely applied to embedded system modeling, is a good modeling language, can establish a framework model for a system, provides rich attribute description capability for components and has the characteristic of appendix extension, so that a transaction-level error model aiming at hardware components can be extended through the characteristic of appendix extension, and software and hardware integrated reliability modeling is completed by combining the error model of AADL, and on the basis, a software and hardware integrated reliability evaluation method is provided.
Abbreviations
HCEM (hardware component transfer Level Error Model): hardware component transaction-level error model
TEM (Transmission Module Error Model): transaction Unit error model
EIT (Error Input Transition): error downward propagation dependencies
EOT (Error Output Transition): error propagation up dependencies
Disclosure of Invention
Technical problem to be solved
In order to overcome the problem that the existing AADL reliability analysis-based hardware component part is not considered sufficiently, the invention provides an AADL model software and hardware comprehensive reliability evaluation method based on a Generalized Stochastic Petri Network (GSPN).
Technical scheme
A software and hardware integrated AADL model reliability assessment method based on a generalized stochastic Petri network is characterized by comprising the following steps
Step 1: and designing an AADL architecture model for the system according to the system specification, and designing an error model for the architecture model according to the reliability requirement, wherein the error model comprises a software error model and a HCEM (hybrid computer aided engineering) to obtain an AADL reliability model with a hierarchical structure.
Step 2: converting the AADL software component error model to a GSPN model of the software component.
And step 3: converting the basic model elements contained in HCEM of AADL into the elements in the GSPN model, wherein the conversion method and the conversion sequence are as follows:
step 3-1: for one of the TEMs in the HCEM, the error state in the TEM is translated to a location in the GSPN model and the initial error state in the TEM is translated to a location identified in the GSPN model. The error events that cause transition triggering in the TEM are then converted to transitions in the GSPN model, transitions between error states in the TEM are converted to position-to-transition arcs and to position-to-arc. Wherein for error events obeying a fixed probability distribution, they are converted into transient transitions in the GSPN model, and for error events obeying a Poisson distribution, they are converted into time transitions in the GSPN model.
Step 3-2: converting the EIT in the TEM, retrieving the transition according to whether the triggering event defining the transition in the TEM refers to the EIT, and skipping the step if all the transitions in the TEM do not refer to the EIT; if the EIT event is referenced by a transition, the name and the error type of the EIT are extracted and converted into a transition in the GSPN model, which indicates that the error state of the transaction unit is changed under the influence of an external error.
Step 3-3: the method comprises the steps of converting an EOT in a TEM (transmission enhanced dielectric) into a temporary position p 'representing transaction unit error output, and representing EOT delayed migration t', converting a transition from a source error state to an error event defined in the EOT into an arc with a position pointing to the migration t 'and an arc with a position pointing to the temporary position p' by the migration t ', and simultaneously establishing a forbidden arc pointing to the migration t' from the temporary position p ', wherein the forbidden arc ensures that only one token is transferred to the next position in the transition section each time, and finally adding an arc pointing to the initial position in the transaction unit by the migration t', which represents that the state of the transaction unit is reset to the initial state after the transaction unit is erroneously transferred to the next unit.
Step 3-4: traversing all the transaction units in the HCEM, if the next transaction unit exists, returning to the step 1, and converting the basic model elements of the next transaction unit. If no next transaction unit exists, the completion of the basic model elements contained in all the transaction units in the HCEM is shown, and the step 3-5 is executed.
Step 3-5: and if other hardware components in the architecture model define the HCEM, executing the step 3-1 to the step 3-4 to convert the basic model elements in the other hardware components HCEM, and otherwise executing the step 4.
And 4, step 4: each behavior in the hardware component can be described as a functional transaction unit, the connection sequence between the transaction units in the HCEM is determined according to the relationship of data flow and control flow in the hardware component, and the predecessor and successor relationship of each transaction unit in the HCEM is determined on the basis. When the transaction unit A has no predecessor transaction unit and only successor transaction unit, then the transaction unit A is the starting transaction unit. When the transaction unit A has both a precursor transaction unit and a successor transaction unit, the transaction unit A is an intermediate transaction unit; when the transaction unit A has a predecessor transaction unit and no successor transaction unit, the transaction unit A is an end-point transaction unit. On the basis, the error propagation relation in the AADL transaction-level error model is converted, and the conversion method and the conversion sequence are as follows:
step 4-1: when the transaction unit is an originating transaction unit, matching of error propagation relationships in the transaction unit is skipped because no EOT of a predecessor transaction unit matches the EIT of the current transaction unit.
Step 4-2: when the transaction unit is an intermediate transaction unit or an end-point transaction unit, extracting the error type In _ type allowed to be transmitted by EIT In the current transaction unit, and finding out all EOT allowances In the precursor transaction unit according to the connection relation between the transaction unitsAllowing the transmitted error type Out _ type, comparing with In _ type, if the error types are consistent, establishing a bidirectional arc for connecting a temporary position p corresponding to EOT of a transaction unit1Migrating corresponding to the current EIT, and then adding a transient migration q1Establishing a temporary position p1Pointing to transient migration q1Last established to point to the instantaneous transition q from the target location in the EOT transition and the target location in the current EIT transition1The two forbidden arcs are used for absorbing redundant tokens to ensure that errors cannot be repeatedly transmitted when the errors are transmitted out; if the error types are all inconsistent, matching is not carried out, and the transaction unit is skipped;
step 4-3: traversing all transaction units in the HCEM, if the transaction units are initial transaction units, executing the step 4-1, otherwise, executing the step 4-2. And after finishing the judgment of all the transaction units in the hardware component, judging whether other HCEM are defined in the architecture model, if so, returning to the step 4 to carry out the conversion of the error propagation relation on the next hardware component, otherwise, entering the step 5.
And 5: the method comprises the following steps of converting the connection relations between a starting transaction unit and an end transaction unit in the HCEM and other hardware components and software components in an architecture model, and specifically:
step 5-1: referring to the error propagation direction defined by error propagation path in the system error model, if the error propagation direction is from the BUS to the hardware component, the end transaction unit of the hardware component is matched with the start transaction unit of the BUS component. The type of error In _ type allowed to be passed In by the EIT of the starting transaction unit In the BUS is extracted and converted into a migration In the GSPN model for receiving the error passed In from the hardware component, which indicates that the error state of the transaction unit In the BUS is changed In the case of receiving an external error input. Extracting an error type Out _ type allowed to be transmitted by EOT In an end point transaction unit In the hardware component, comparing the error type Out _ type with In _ type, and if the error types are consistent, establishing a bidirectional arc for connecting a temporary position p corresponding to the EOT of the BUS end point transaction unit2Migrating corresponding to the initial transaction unit EIT of the hardware component, and addingPlus a transient migration q2Establishing a temporary position p2Pointing to transient migration q2Last established to point to the instantaneous transition q from the target location in the EOT transition and the target location in the current EIT transition2Two forbidden arcs.
Step 5-2: if the error propagation direction is from the BUS to the hardware component, the starting transaction unit of the hardware component is matched with the ending transaction unit of the BUS component. The hardware component initiates an incoming error type In _ type allowed by EIT In the transaction unit and converts it to a migration In the GSPN model for BUS incoming errors, indicating that the error status of the transaction unit has changed In the event that an incoming error input is received. Extracting an error type Out _ type allowed to be transmitted by EOT In the end point transaction unit of the BUS, comparing the error type Out _ type with In _ type, if the error types are consistent, establishing a bidirectional arc for connecting a temporary position p corresponding to the EOT of the end point transaction unit of the hardware component B3Migrating corresponding to the initial transaction unit EIT of the hardware component, and then adding a transient migration q3Establishing a temporary position p3Pointing to transient migration q3Last established to point to the instantaneous transition q from the target location in the EOT transition and the target location in the current EIT transition3Two forbidden arcs.
Step 5-3: and finding all the software components bound to the hardware component through the binding relationship, establishing a software component list, selecting a first item in the list, and entering the step 5-3.
Step 5-4: according to the name of the selected software component, finding the error behavior state machine defined in the error model of the software component, finding the event h that the hardware affects the software component according to the content in the error behavior state machine, and simultaneously finding the GSPN transition q corresponding to the event4Using a bidirectional arc to migrate q4Position p converted from EOT of hardware end point transaction unit4Connected, on behalf of the hardware component, the error is communicated to the software component. Finding the transition with the event h of the hardware affecting the software component as the trigger condition in the error model of the current software component and finding the transitionPosition p corresponding to target state in GSPN model in transition5Migrating q with a point4Is connected to the position p5To prevent the current transition from being triggered multiple times when it has been triggered and not repaired. Adding a transient migration q5Establishing a temporary position p4Pointing to transient migration q5Last establishing the position of the transition from the target state of the transition defined in the EOT and the predecessor position of the event h in the software component pointing to the instantaneous transition q5For absorbing the boundary transaction unit location p4The redundant token prevents the fault in the hardware component from repeatedly acting on the software component to cause the failure of the repair function in the software component.
Step 5-5: and (3) selecting the next software component from the component list in the step (5-2), and repeating the step (5-3) until all the software components in the list complete the conversion of the binding relationship, so as to obtain a GSPN model combined by the GSPN submodel of the hardware component error model and the GSPN submodel of the software component error model. And step five, configuring migration parameters for the GSPN model according to the attribute parameters of the source model.
Step 6: and extracting the probability attributes of the error events in the error model and transaction-level error model attribute set, assigning the probability attributes to the probability attributes of corresponding migration of each event in the GSPN model, and finally obtaining the complete and computable GSPN model integrating software and hardware. And calling a GSPN calculation tool to perform stable probability distribution calculation on the GSPN reliability calculation model integrated by software and hardware, and obtaining probability values of the system in different states under the set parameters when performing primary calculation.
And 7: selecting certain states in the source model as examination objects, selecting an error event in the source model, repeatedly executing the calculation process in the step 6 when the occurrence probability of the error event is gradually changed from an initial value by a fixed step length to obtain the reliability probability values of the system under different occurrence probabilities of the error event, recording the reliability probability values, displaying the results in various modes through a two-dimensional line graph, a bar graph and a probability corresponding table, and finally obtaining the change rule of the system reliability under the influence of the error event. And completing the comprehensive reliability evaluation of software and hardware.
Advantageous effects
The invention provides a software and hardware integrated AADL model reliability assessment method based on a generalized stochastic Petri network, which comprises the steps of firstly, establishing a software and hardware integrated reliability model by using AADL, wherein the software and hardware integrated reliability model comprises a system architecture model, a software error model and HCEM; secondly, establishing a conversion rule from the HCEM to the GSPN model, and realizing an automatic conversion method, wherein the HCEM is converted into the GSPN model; meanwhile, the method integrates a conversion method from a software reliability model to a GSPN model, so that a software error model can be converted into the GSPN model, and on the basis, the GSPN model obtained by HCEM conversion and the GSPN model obtained by software error model conversion are combined to form a software and hardware comprehensive reliability calculation model. And finally, calculating the GSPN model by means of a GSPN calculation tool, and analyzing the calculation result, thereby completing the comprehensive reliability evaluation of software and hardware.
Because a new model conversion rule is formulated, and a conversion method from a software reliability model to a GSPN model is integrated on the basis, the method can respectively convert a software error model and a HCEM (hybrid communication entity) into the GSPN model, and model components which can be converted by the HCEM comprise transition caused by error propagation among transaction units of hardware components and transition caused by error propagation relation of the hardware errors to other components, so that the GSPN submodel obtained by conversion of the HCEM model can describe error propagation rules in the hardware components in more detail, and is finally compounded with the GSPN model obtained by conversion of the software error model, thereby obtaining a system reliability calculation model which is comprehensive of software and hardware, and enabling the calculated system reliability probability to be more in line with actual conditions.
Drawings
FIG. 1 is a flow chart of an embodiment of the method of the present invention;
FIG. 2 is an embedded computing system architecture diagram of an embodiment of the present invention;
FIG. 3 is a connection relationship between transaction units in a processor hardware component, a memory hardware component, and a bus hardware component;
FIG. 4 is a GSPN model element converted from thread thdA component and thread thdB component error models;
FIG. 5 is a GSPN model element converted by an error state machine of a transaction unit inside a GPM of a processor in the system according to the embodiment of the present invention;
FIG. 6 is a diagram illustrating the migration of EIT translation of the transaction unit error incoming event inside the GPM of the processor in the system according to the embodiment of the present invention;
FIG. 7 is a GSPN model obtained by EOT conversion of an error outgoing event of a transaction unit inside a GPM of a processor in the system according to the embodiment of the present invention;
fig. 8 shows GSPN model elements obtained by converting basic model elements in the internal transaction unit of the memory MEM according to the embodiment of the present invention;
FIG. 9 is a GSPN model element converted from a basic model element in a transaction unit inside a Bus in the system according to the embodiment of the present invention;
FIG. 10 shows a GSPN model obtained by converting the error propagation relationship between transaction units inside the GPM of the processor in the system according to the embodiment of the present invention;
fig. 11 shows that the error propagation relationship between the internal transaction units of the memory MEM is converted to obtain the GSPN model in the system according to the embodiment of the present invention;
FIG. 12 is a GSPN model obtained by converting the error propagation relationship between the Bus internal transaction units in the system according to the embodiment of the present invention;
FIG. 13 is a GSPM model obtained by conversion of access relationships between the processor GPM and the Bus in the system according to the embodiment of the present invention;
fig. 14 is a GSPM model obtained by converting an access relationship between the memory MEM and the Bus in the system according to the embodiment of the present invention;
FIG. 15 shows a GSPN model transformed from the binding relationship between threads thdA and thdB and a processor GPM in the system according to the embodiment of the present invention;
FIG. 16 is a computable GSPN model resulting from a software and hardware integrated reliability model conversion;
FIG. 17 is a diagram of the evaluation result of the integrated reliability of the software and hardware of the system according to the embodiment of the present invention.
Detailed Description
The invention will now be further described with reference to the following examples and drawings:
referring to fig. 1, the invention provides an AADL model software and hardware comprehensive reliability evaluation method based on a generalized stochastic Petri network, which is based on an AADL architecture model of a hierarchical structure, establishes an HCEM of an AADL hardware component and an error model of a software component, and formulates a new model conversion method from an AADL software and hardware comprehensive reliability model to a GSPN model. Firstly, establishing an architecture model based on AADL, and establishing an appendix model for the architecture model by using a software error model appendix and a hardware transaction-level error model appendix to form an AADL software and hardware comprehensive reliability model of the system; and then establishing conversion rules from HCEM to GSPN, respectively converting the HCEM and the software error model of AADL into GSPN models according to the conversion rules, compounding the obtained GSPN submodel of the hardware component and the GSPN submodel of the software component into a GSPN model of the software and hardware integration of the system, and calculating the GSPN model of the software and hardware integration by means of a GSPN calculation tool to complete the reliability evaluation of the software and hardware integration.
1: referring to fig. 2: example an off-board replaceable module (LRM) embedded computing system was used as the target system for implementing the AADL model reliability assessment method for software and hardware integration. The system is named as LRMexample, is a multitask computing system based on a single-processor hardware computing platform, and an AADL architecture model is built according to requirements, wherein the AADL architecture model comprises a system component representing a target system, a processor component, a bus component, a memory component and two system process components, and each process comprises a thread component (thdA and thdB) representing a system task. Data is transmitted between the thread thdA and the thread thdB through port connection; the processor and the memory are connected through bus access, and the two threads are connected with the processor through a binding relationship.
1.2: referring to fig. 3, the error model of the LRMExample system software is first built using the AADL's error model annex sub-language. Then, a transaction-level error behavior model is established for the GPM in the LRMexample system by using the annex sublanguage of the transaction-level error model, and a simple processor component can perform functional simulation by using three transaction units, which are respectively: a bus interface BIU, an instruction decoder IDecoder and an instruction execution unit IExecutor. Firstly, a bus interface BIU of a processor generates a next instruction address and starts an instruction acquisition execution process, whether the instruction address is wrong needs to be judged before instruction fetching, if the instruction address is an illegal address, a transaction is required to be rolled back, the address is recalculated, if the instruction address is other errors, the error is thrown to an IDecoder transaction unit, the error causes an error state machine inside the IDecode unit to be migrated from an initial state to other states, when the error state machine inside the IDecode unit is migrated to a final state, the IDecoder unit can continue to transmit error information to a successor IExecutor of the IDecoder unit, so that the error state machine inside the IExecutor unit is triggered, and when the error state machine inside the IExecutor unit is migrated to the final state, the error transmitted from the IExecutor unit is transmitted to a software component of a system, so that the propagation behavior of the error between the hardware and the software components needs to be described. After the processor completes the task processing, the operation result needs to be transmitted to the memory component for storage, so the data communication connection established between the processor and the memory component through the bus and the process of data storage inside the memory need to be described. The above contents are completed, the transaction-level error model modeling of the hardware component is also completed, and then the software component error model and the AADL architecture model are combined to form the integrated reliability model of the embedded computing system software and hardware.
2: referring to fig. 4, in the AADL reliability model of the embedded computing system, components including a software error model, namely a thread thdA and a thread thdB, convert each element in the error model into an element of a GSPN model.
3: the components including the transaction-level error model are the processor GPM, the memory MEM and the Bus, and the basic model elements included in the hardware component HCEM are converted into the elements in the GSPN model, because there are many hardware components involved and the conversion method of the basic model elements is basically the same, only the conversion rule of the transaction-level error model of the processor GPM will be described in detail herein, and the conversion method and the conversion sequence are as follows:
3.1: referring to fig. 5, the error states contained in the transaction unit error model of BIU, IDecoder and IExecutor in the processor building GPM are translated to locations in the GSPN model, where the initial state is translated to a location with one token. Converting error events contained in event fields in the transaction unit error model into migration in the GSPN model, defining the type of migration according to the description of the event type in the model, converting events obeying Poisson distribution into delayed migration in the GSPN, and converting events obeying fixed probability distribution into instant migration in the GSPN. On the basis, the error transition in the transaction unit error model is converted into position-to-migration arcs and position-to-arc arcs.
3.2: referring to fig. 6: the EIT in the transaction unit error model is then translated, retrieving the trigger events in the state transitions in the BIU transaction unit where the EIT is not referenced, so for the BIU transaction unit, the step of EIT translation is skipped. Retrieving a trigger event in a state transition in an idecorder transaction element using an event named eitideInvalidInst defined in the EIT, so converting the EIT to a migration named "idecorder.
3.3: referring to fig. 7: the error types errInvalidInst, errfaultalitininst allowed to propagate in the EOT of the transaction unit BIU are extracted and converted into the specifically named "OUT" delayed migration "BIU. Then establish an arc that is migrated by "biu. esbiu" pointing to "biu. er invalid inst.out" and "biu. er invalid inst.out" pointing to "biu. er invalid inst.out _ copy" position, establish an arc that is migrated by "biu. esbiu" pointing to "biu. er faullid inst.out" and "biu. er faullid inst.out" pointing to "biu. er invalid inst.out _ copy" position, and next add a forbidden arc that is migrated by "biu. er invalid inst.out _ copy" pointing to "biu. er invalid inst.out" and "biu. er faullid inst.out _ copy" pointing to "biu. er invalid inst.out _ copy" to ensure that there is only one forbidden transition to "position in the segment and that there is only one transition to the next time. Finally, an arc is added, pointing from "biu.erinvalid inst.out" and "biu.erfaultlinst.out" to the BIU initial position "biu.esbiu" state, to ensure that the BIU unit is reset to the initial state after the error is propagated. The same applies to the EOT in idecorder and IExecutor.
3.4: referring to fig. 8, the conversion of the basic elements of the model is performed on the HCEM in the memory hardware means MEM.
3.5: referring to fig. 9, the conversion of model basic elements is performed for the HCEM in the Bus hardware component Bus. After completion, step 4 is performed.
4: after all basic model elements in the transaction units contained in the hardware component are converted into GSPN models, the predecessor and successor relations of the transaction units are determined according to the connection relations among the transaction units, and on the basis, the error propagation relation in the HCEM is converted, wherein the conversion steps are as follows:
4.1: for the processor hardware component GPM, BIU is the processor starting transaction unit, and for EIT in BIU transaction unit, there is no EOT match, so the translation of the transaction unit to the error propagation relationship is skipped.
4.2: referring to fig. 10: traversing the transaction unit in the hardware component HCEM of the GPM processor, IDecoder is an intermediate transaction unit, and the EIT of the intermediate transaction unit allows the transmission of an errInvalidInst error type. The method comprises the steps that a predecessor transaction unit of the IDecoder is a BIU, error types of the ERrInvalidInst and the ERFaultInst transmitted by an EOT of the BIU are extracted, the EIT of the IDecoder is matched with the EOT of the error types of the ERrInvalidInst transmitted by the EOT of the BIU through error type comparison, a bidirectional arc is used for connecting the' BIU. The IExecutor is an end point transaction unit, firstly, an error type errFaultInst allowed to be transmitted by an EIT in the IExecutor is extracted, a predecessor transaction unit of the IExecutor is an IDecoder, an error type errFaultInst allowed to be transmitted by an EOT in the IDecoder is extracted, the error type is consistent with the error type allowed to be transmitted by the EIT in the IExecutor, so the EIT is matched with the EOT in the predecessor unit, a bidirectional arc is used for connecting the "IDecoder. Therefore, the conversion of the error propagation relation in the GPM hardware component HCEM is completed.
4.3: for MEM hardware components, ADecoder is the starting transaction unit of memory, for EIT in ADecoder, no EOT matches it, so the translation of the transaction unit to the error propagation relationship is skipped.
4.4: referring to fig. 11, traversing the transaction units in the MEM hardware component HCEM, where banks is an end-point transaction unit, first extracts the error type errfaultadress that EIT in banks allows incoming, and then extracts the error type that EOT in the predecessor transaction unit ADecoder allows outgoing, as errfaultadress, whose error type is consistent with the error type that EIT in banks allows incoming, so this EIT is to be matched with EOT in predecessor units, connecting an extra arc pointing to "errfaultadress" by "ADecoder. Thereby completing the conversion of error propagation relationships in the MEM hardware component HCEM.
4.5: for Bus hardware components, Arbitrate is the starting transaction unit of the Bus, and for EIT in Arbitrate, no EOT matches it, so the translation of the transaction unit to the error propagation relationship is skipped.
4.6: referring to fig. 12, traversing transaction units in the memory Bus hardware component HCEM, where a Transfer is an end-point transaction unit, first extracting an error type errfaultlorder allowed to be transmitted by EIT in the Transfer, then extracting an error type allowed to be transmitted by EOT in the Arbitrate of a predecessor transaction unit, where the error type is consistent with the error type allowed to be transmitted by EIT in the Transfer, so the EIT is to be matched with EOT in the predecessor, connecting an arc. Therefore, the conversion of the error propagation relation in the Bus hardware component HCEM is completed.
4.7: other hardware components in the architecture model do not define HCEM, so the conversion of error propagation relationship in the hardware components is completed, and step 5 is executed.
5: and converting the connection relation between the starting transaction unit and the ending transaction unit in the HCEM of each hardware component and other components in the architecture model.
5.1: referring to fig. 13, data of the processor hardware component GPM in the error propagation path field of the processor HCEM is transferred to the Bus, so the end transaction unit of the processor GPM is matched with the start transaction unit of the Bus. Extracting the type of error, errFaultData, allowed to be transmitted in EIT of a Bus component initial transaction unit, converting the type of error into migration named as ' Arbitrate. errFaultData.IN ', extracting the type of error allowed to be transmitted by a processor component GPM end point transaction unit, errFaultData, consistent with the type of error allowed to be transmitted in the Bus, establishing a bidirectional arc, connecting the positions ' IExecuter. errFaultData.OUT _ copy ' and migration ' Arbitrate. errFaultData ', adding a transient migration named ' errFaultData ', establishing an arc pointed to ' errFaultData ' by ' IEculator. erbaultData.OUT _ copy ', and finally establishing an error pointed to ' erbaultData ' by ' arbita.
5.2: referring to fig. 14, since data in the error propagation path field of the memory MEM is transferred to the memory hardware component MEM via the BUS component, the end transaction unit of the BUS is matched with the start transaction unit of the MEM. The method comprises the steps of extracting an error type errFaultaddress allowed in EIT of an initial transaction unit ADecoder of the memory means MEM, converting the error type errFaultaddress allowed in EIT of the initial transaction unit ADecoder into a migration named "ADecoder.
5.3: and finding the software components bound on the GPM of the processor as threads thdA and thdB according to the Binding information in the architecture model.
5.4: referring to fig. 15, a software error model is defined in a thread thdA, and an event pfailed1 is defined in an error behavior state machine, the event is defined as a trigger event that a processor component has an influence on the thread thdA, the event is converted into pfailed1 migration in a GSPN model, and temporary positions "IExecutor error fault data out copy" and migration "pfailed 1" corresponding to an EOT in an IExecutor transaction unit are connected by a bidirectional arc. Then find the target position "thdA. fault2" of the pfailed1, connect the two with a forbidden arc pointed to the migration "pfailed 1" by the position "thdA. fault2". Finally, a transient migration "Tx" is generated, an arc is used to connect "iexecutor errfaultdata.out _ copy" with the transient migration "Tx", and then a forbidden arc pointed to the migration "Tx" by "iexecutor.esexprop" and a forbidden arc pointed to the migration "Tx" by "thda. The software bound on the CPU components also has a thdB thread, and converts the model elements contained in the thdB thread and the connection relation between the thdB thread and the GPM.
6: referring to fig. 16, at this time, conversion of all models is completed, attribute information in software error models and properties in HCEM is extracted, a probability value of each error event is assigned to a GSPN migration corresponding to the error event, and finally a computable GSPN model corresponding to a software and hardware comprehensive reliability model is obtained.
7: referring to fig. 17, a GSPN calculation tool is called, an errorfree state of the system is selected as a check object, an eitidinvalid inst event in a processor component GPM is selected as an argument, when the occurrence probability of the event gradually changes from 0 to 1 by a step size of 0.1, a probability value corresponding to the errorfree state of the system is obtained, a change rule curve, a histogram and a probability table of the system reliability under the influence of the eiidid invalid inst event are obtained, and finally, the reliability evaluation of software and hardware synthesis is completed.

Claims (3)

1. A software and hardware integrated AADL model reliability assessment method based on a generalized stochastic Petri network is characterized by comprising the following steps:
step 1: designing an AADL architecture model for a system according to a system specification, and designing an error model for the architecture model according to reliability requirements, wherein the error model comprises a software error model and a HCEM (hybrid computer aided engineering) to obtain an AADL reliability model with a hierarchical structure;
step 2: converting the AADL software component error model into a GSPN model of the software component;
and step 3: converting basic model elements contained in HCEM of AADL into elements in GSPN model;
and 4, step 4: each behavior in the hardware component can be described as a functional transaction unit, the connection sequence between the transaction units in the HCEM is determined according to the relationship between the internal data flow and the internal control flow of the hardware component, and the precursor successor relationship of each transaction unit in the HCEM is determined on the basis; when the transaction unit A has no precursor transaction unit and only has a subsequent transaction unit, the transaction unit A is an initial transaction unit; when the transaction unit A has both a precursor transaction unit and a successor transaction unit, the transaction unit A is an intermediate transaction unit; when the transaction unit A has a precursor transaction unit and has no successor transaction unit, the transaction unit A is an end-point transaction unit; on the basis, the error propagation relation in the AADL transaction-level error model is converted
And 5: the method comprises the following steps of converting the connection relations between a starting transaction unit and an end transaction unit in the HCEM and other hardware components and software components in an architecture model, and specifically:
step 5-1: referring to an error propagation direction defined by an error propagation path in a system error model, if the error propagation direction is from a BUS to a hardware component, matching an end transaction unit of the hardware component with an initial transaction unit of the BUS component; extracting an error type In _ type allowed to be transmitted by an EIT (initial transaction Unit) In the BUS, converting the type into a migration In a GSPN (generalized global system for network protection) model, and receiving an error transmitted from a hardware component, wherein the error state of the EIT In the BUS is changed under the condition that an external error input is received; extracting an error type Out _ type allowed to be transmitted by EOT In an end point transaction unit In the hardware component, comparing the error type Out _ type with In _ type, and if the error types are consistent, establishing a bidirectional arc for connecting a temporary position p corresponding to the EOT of the BUS end point transaction unit2Migrating corresponding to the initial transaction unit EIT of the hardware component, and then adding a transient migration q2Establishing a temporary position p2Pointing to transient migration q2Last established to point to the instantaneous transition q from the target location in the EOT transition and the target location in the current EIT transition2Two forbidden arcs of (1);
step 5-2: if the error propagation direction is from the BUS to the hardware component, matching the initial transaction unit of the hardware component with the end transaction unit of the BUS component; extracting the type of error In _ ty allowed by EIT In the hardware component starting transaction Unitpe, which translates it into a migration in the GSPN model for BUS incoming errors, indicating that the error state of the transaction unit has changed when an external error input is received; extracting an error type Out _ type allowed to be transmitted by EOT In the end point transaction unit of the BUS, comparing the error type Out _ type with In _ type, if the error types are consistent, establishing a bidirectional arc for connecting a temporary position p corresponding to the EOT of the end point transaction unit of the hardware component B3Migrating corresponding to the initial transaction unit EIT of the hardware component, and then adding a transient migration q3Establishing a temporary position p3Pointing to transient migration q3Last established to point to the instantaneous transition q from the target location in the EOT transition and the target location in the current EIT transition3Two forbidden arcs of (1);
step 5-3: finding all software components bound to the hardware component through the binding relationship, establishing a software component list, selecting a first item in the list, and entering the step 5-3;
step 5-4: according to the name of the selected software component, finding the error behavior state machine defined in the error model of the software component, finding the event h that the hardware affects the software component according to the content in the error behavior state machine, and simultaneously finding the GSPN transition q corresponding to the event4Using a bidirectional arc to migrate q4Position p converted from EOT of hardware end point transaction unit4Connected, communicating the error to the software component on behalf of the hardware component; searching the transition taking the event h of the influence of the hardware on the software component as the trigger condition in the error model of the current software component, and finding the position p corresponding to the target state in the GSPN model in the transition5Migrating q with a point4Is connected to the position p5To prevent the current transition from being triggered multiple times when it has been triggered and not repaired; adding a transient migration q5Establishing a temporary position p4Pointing to transient migration q5Last establishing the position of the transition from the target state of the transition defined in the EOT and the predecessor position of the event h in the software component pointing to the instantaneous transition q5Two forbidden arcs ofFor absorbing the boundary transaction unit location p4The redundant token prevents the fault in the hardware component from repeatedly acting on the software component to cause the failure of the repair function in the software component;
step 5-5: selecting the next software component from the component list in the step 5-2, and repeating the step 5-3 until all the software components in the list complete the conversion of the binding relationship, so as to obtain a GSPN model combined by a GSPN submodel of the hardware component error model and a GSPN submodel of the software component error model; step five, configuring migration parameters for the GSPN model according to the attribute parameters of the source model;
step 6: extracting the probability attributes of the error events in the error model and transaction-level error model attribute set, assigning the probability attributes to the probability attributes of corresponding migration of each event in the GSPN model, and finally obtaining a complete and computable GSPN model integrating software and hardware; calling a GSPN calculation tool to perform stable probability distribution calculation on a software and hardware integrated GSPN reliability calculation model, and obtaining probability values of the system in different states under set parameters when performing primary calculation;
and 7: selecting certain states in the source model as examination objects, selecting an error event in the source model, repeatedly executing the calculation process in the step 6 when the occurrence probability of the error event is gradually changed from an initial value by a fixed step length to obtain the reliability probability values of the system under the conditions of different occurrence probabilities of the error event, recording the reliability probability values, displaying the results in various modes through a two-dimensional line graph, a bar graph and a probability corresponding table, and finally obtaining the change rule of the system reliability under the influence of the error event; and completing the comprehensive reliability evaluation of software and hardware.
2. The AADL model reliability assessment method based on generalized stochastic Petri nets based on hardware and software integration as claimed in claim 1, wherein the transformation method and the transformation sequence in step 3 are as follows:
step 3-1: for one of the HCEM's, converting an error state in the TEM to a location in the GSPN model and converting an initial error state in the TEM to a location with an identification in the GSPN model; then converting an error event causing transition triggering in the TEM into a transition in the GSPN model, and converting the transition between error states in the TEM into an arc from a position to the transition and an arc from the position to the transition; wherein, for error events obeying fixed probability distribution, the error events are converted into transient migration in the GSPN model, and for error events obeying Poisson distribution, the error events are converted into time migration in the GSPN model;
step 3-2: converting the EIT in the TEM, retrieving the transition according to whether the triggering event defining the transition in the TEM refers to the EIT, and skipping the step if all the transitions in the TEM do not refer to the EIT; if the EIT event is referenced by the transition, extracting the name and the error type of the EIT, converting the EIT into one of the transitions in the GSPN model, and indicating that the error state of the transaction unit is changed under the influence of an external error;
step 3-3: the method comprises the steps of converting an EOT in a TEM (transmission enhanced dielectric) into a temporary position p ' representing transaction unit error output and an EOT delayed migration t ', converting a transition from a source error state to an error event defined in the EOT into an arc with a position pointing to the migration t ' and an arc with a position pointing to the temporary position p ' by the migration t ', and simultaneously establishing a forbidden arc pointing to the migration t ' from the temporary position p ', wherein the forbidden arc ensures that only one token is transmitted to the next position in the transition at each time;
step 3-4: traversing all the transaction units in the HCEM, if a next transaction unit exists, returning to the step 1, and converting the basic model elements of the next transaction unit; if no next transaction unit exists, the basic model elements contained in all the transaction units in the HCEM are completed, and the step 3-5 is executed;
step 3-5: and if other hardware components in the architecture model define the HCEM, executing the step 3-1 to the step 3-4 to convert the basic model elements in the other hardware components HCEM, and otherwise executing the step 4.
3. The AADL model reliability assessment method based on generalized stochastic Petri nets based on hardware and software integration as claimed in claim 1, wherein the transformation method and the transformation sequence in step 4 are as follows:
step 4-1: when the transaction unit is an initial transaction unit, because the EOT of no predecessor transaction unit is matched with the EIT of the current transaction unit, the matching of the error propagation relation in the transaction unit is skipped;
step 4-2: when the transaction unit is an intermediate transaction unit or an end-point transaction unit, extracting the error type In _ type allowed to be transmitted by EIT In the current transaction unit, finding Out all the error types Out _ type allowed to be transmitted by EOT In the previous transaction unit according to the connection relation between the transaction units, comparing the error types Out _ type with In _ type, and if the error types are consistent, establishing a bidirectional arc for connecting a temporary position p corresponding to EOT of the last transaction unit1Migrating corresponding to the current EIT, and then adding a transient migration q1Establishing a temporary position p1Pointing to transient migration q1Last established to point to the instantaneous transition q from the target location in the EOT transition and the target location in the current EIT transition1The two forbidden arcs are used for absorbing redundant tokens to ensure that errors cannot be repeatedly transmitted when the errors are transmitted out; if the error types are all inconsistent, matching is not carried out, and the transaction unit is skipped;
step 4-3: traversing all transaction units in the HCEM, if the transaction units are initial transaction units, executing the step 4-1, otherwise executing the step 4-2; and after finishing the judgment of all the transaction units in the hardware component, judging whether other HCEM are defined in the architecture model, if so, returning to the step 4 to carry out the conversion of the error propagation relation on the next hardware component, otherwise, entering the step 5.
CN202010891607.9A 2020-08-31 2020-08-31 Software and hardware integrated AADL (architecture analysis and design language) model reliability evaluation method based on generalized stochastic Petri network Active CN112100062B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010891607.9A CN112100062B (en) 2020-08-31 2020-08-31 Software and hardware integrated AADL (architecture analysis and design language) model reliability evaluation method based on generalized stochastic Petri network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010891607.9A CN112100062B (en) 2020-08-31 2020-08-31 Software and hardware integrated AADL (architecture analysis and design language) model reliability evaluation method based on generalized stochastic Petri network

Publications (2)

Publication Number Publication Date
CN112100062A true CN112100062A (en) 2020-12-18
CN112100062B CN112100062B (en) 2023-01-17

Family

ID=73756682

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010891607.9A Active CN112100062B (en) 2020-08-31 2020-08-31 Software and hardware integrated AADL (architecture analysis and design language) model reliability evaluation method based on generalized stochastic Petri network

Country Status (1)

Country Link
CN (1) CN112100062B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070277151A1 (en) * 2006-05-17 2007-11-29 The Mathworks, Inc. Action languages for unified modeling language model
CN101901186A (en) * 2010-07-08 2010-12-01 西北工业大学 Embedded system reliability analysis and evaluation method
US20100332209A1 (en) * 2009-06-24 2010-12-30 Airbus Operations (S.A.S.) Method of combined simulation of the software and hardware parts of a computer system, and associated system
CN101986268A (en) * 2010-11-18 2011-03-16 西北工业大学 Method for transforming reliable model into GSPN model based on AADL description
CN106874200A (en) * 2017-02-14 2017-06-20 南京航空航天大学 Embedded software reliability modeling and appraisal procedure based on AADL
CN108376221A (en) * 2018-02-27 2018-08-07 哈尔滨工业大学 A kind of software system security verification and appraisal procedure based on AADL model extensions
CN108595959A (en) * 2018-03-27 2018-09-28 西北工业大学 AADL model safety appraisal procedures based on certainty stochastic Petri net

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070277151A1 (en) * 2006-05-17 2007-11-29 The Mathworks, Inc. Action languages for unified modeling language model
US20100332209A1 (en) * 2009-06-24 2010-12-30 Airbus Operations (S.A.S.) Method of combined simulation of the software and hardware parts of a computer system, and associated system
CN101901186A (en) * 2010-07-08 2010-12-01 西北工业大学 Embedded system reliability analysis and evaluation method
CN101986268A (en) * 2010-11-18 2011-03-16 西北工业大学 Method for transforming reliable model into GSPN model based on AADL description
CN106874200A (en) * 2017-02-14 2017-06-20 南京航空航天大学 Embedded software reliability modeling and appraisal procedure based on AADL
CN108376221A (en) * 2018-02-27 2018-08-07 哈尔滨工业大学 A kind of software system security verification and appraisal procedure based on AADL model extensions
CN108595959A (en) * 2018-03-27 2018-09-28 西北工业大学 AADL model safety appraisal procedures based on certainty stochastic Petri net

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
孙科等: "基于GSPN的机载构件化软件系统可靠性测试方法", 《电子设计工程》 *
雷军环: "利用广义随机Petri网分析软件系统可靠性", 《计算机测量与控制》 *
魏晓敏等: "基于AADL的失效概率分配及安全性评估方法", 《软件学报》 *

Also Published As

Publication number Publication date
CN112100062B (en) 2023-01-17

Similar Documents

Publication Publication Date Title
CN108376221B (en) Software system security verification and evaluation method based on AADL (architecture analysis and design language) model extension
US7941771B2 (en) Method for functional verification of an integrated circuit model for constituting a verification platform, equipment emulator and verification platform
Tripakis Bridging the semantic gap between heterogeneous modeling formalisms and FMI
Gardey et al. Using zone graph method for computing the state space of a time Petri net
Bondavalli et al. Automated dependability analysis of UML designs
CN110489812B (en) Multilayer-level netlist processing method and device, computer device and storage medium
Herber et al. A HW/SW co-verification framework for SystemC
Peled Specification and verification of message sequence charts
Goli et al. Scalable simulation-based verification of SystemC-based virtual prototypes
Daws et al. Automatic verification of the IEEE 1394 root contention protocol with KRONOS and PRISM
Pang et al. Automatic model generation of IEC 61499 function block using net condition/event systems
CN112100062B (en) Software and hardware integrated AADL (architecture analysis and design language) model reliability evaluation method based on generalized stochastic Petri network
Gnesi et al. A stochastic extension of a behavioural subset of UML statechart diagrams
Bozzano et al. Codesign of dependable systems: a component-based modeling language
US10380295B1 (en) Methods, systems, and articles of manufacture for X-behavior verification of an electronic design
Ge et al. RT-MOBS: A compositional observer semantics of time Petri net for real-time property specification language based on μ-calculus
German Formal design of cache memory protocols in IBM
Gheorghe et al. A formalization of global simulation models for continuous/discrete systems.
CN116745770A (en) Method and device for synthesizing digital circuit
Khaligh et al. A metamodel and semantics for transaction level modeling
Muhammad et al. Modelling embedded systems with AADL: a practical study
Vizovitin et al. Application of colored Petri nets for verification of scenario control structures in UCM notation
Daw et al. An extensible formal semantics for UML activity diagrams
Aichernig et al. Scalable incremental test-case generation from large behavior models
Divakaran et al. A theory of refinement for ADTs with functional interfaces

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant