实时系统的形式化验证

实时系统的设计对系统设计人员而言是一个巨大挑战。在缺乏严格的验证环境时 ,要避免设计错误是很困难的。本文将一种带时戳的时序逻辑及用于描述具体实时系统的时间变迁系统编码到 HOL定理证明器中 ,并实现了一个基本的规则策略库 ,从而实现了一个简单的交互式辅助验证环境L RP。实例 Fisher算法的互斥性在 IRP中得到了验证。     

An Experiment in Program Composition and Proof

This paper explores a compositional approach to program specification, development and proof. We apply a theory of composition to a problem in distributed computing with the goal of understanding the strengths and weaknesses of this compositional approach. First, we describe the theory briefly. Then we give a specification of a desired system. Next, we propose a design of the desired system as a composition of components and prove its correctness. Finally, we show how the proof can be reused for a slightly different compositional structure by using the concept of observation.     

Methods for the Development of Distributed Real-Time Embedded Systems Using VDM

The development of distributed real-time embedded systems presents a signi-ffcant practical challenge both because of the complexity of distributed computation and because of the need to rapidly assess a wide variety of design alternatives in early stages when requirements are often volatile. Formal methods can address some of these challenges but are often thought to require greater initial investment and longer development cycles than is desirable for the development of noncritical systems in highly competitive markets.In this paper we propose an approach that takes advantage of formal modelling and analysis technology in a lightweight way, making signi cant use of readily available tools. We describe an incremental approach in which detail is progressively added to abstract system-level speci cations of functional and timing properties via intermediate models that express system architecture, concurrency and distribution. The approach is illustrated using a modelof a home automation system. The models are expressed using the Vienna Development Method (VDM) and are validated primarily by scenario-based tests.     

一种嵌套中断系统的建模和分析方法

在嵌入式系统和各类操作系统中,中断机制是确保实时响应各类异步事件的重要方法.通常在处理一个中断事件的过程中,往往会有更紧迫的中断事件请求响应,因而发生中断嵌套.建模并验证嵌套中断系统是一个具有挑战性的工作.本文提出一种建模和验证嵌套中断系统的方法.首先,为中断系统提出了基于投影时序逻辑的定义,并将这种定义推广到包含任意多中断事件的中断系统上,从而得出嵌套中断系统基于投影时序逻辑的形式化模型.其次,使用投影时序逻辑定义的基本中断语句扩充建模仿真和验证语言（MSVL）并扩展MSVL语言的解释器使其可以对嵌套中断系统进行建模仿真和验证.最后通过一个实例展现本文所提出的方法的正确性和实用性.     

基于时序逻辑证明编译优化程序变换的保义性

基于时序逻辑CTL(computation tree logic)的一种扩展CTL-FV对优化编译中的语句交换和变量替换这两种常见变换的保义性条件给出了形式刻画,采用含条件重写规则定义了保义语句交换T_exch和保义变量替换T_sub,并基于一种归纳证明框架对它们的保义性进行了证明.此外,基于变换Texch对程序基本块内保依赖语句重排的保义性也给出了一种构造性的证明.     

基于异构分布式系统的实时容错调度算法

目前文献中研究的实时容错调度算法都是基于同构分布式系统，系统中的所有处理机完全相同。该文首先建立了一个基于异构分布式系统实时容错调度模型，异构分布式系统中的各个处理机均不相同。基于该异构分布式系统模型，该文引入了可靠性代价（reliability cost）概念，并提出两种静态实时容错调度算法（RTFTNO和RTFTRC）用于调度周期性实时容错任务。算法RTFTRC在调度任务时，尽量使系统的可靠性代价最小；而算法RTFTNO在调度实时任务时，没有考虑系统的可靠性代价。该文详细讨论了两种调度算法的性能。性能模拟实验分别比较了两个算法的可靠性代价，超时比率和可调度性；并研究了任务的计算时间与可靠性代价的关系以及调度长度阈值与最小处理机个数的关系。实验结果表明，算法RTFTRC的性能优于算法RTFTNO。     

Compact Data Structures and State-Space Reduction for Model-Checking Real-Time Systems

During the past few years, a number of verification tools have been developed for real-time systems in the framework of timed automata. One of the major problems in applying these tools to industrial-sized systems is the huge memory-usage for the exploration of the state-space of a network (or product) of timed automata, as the model-checkers must keep information about not only the control structure of the automata but also the clock values specified by clock constraints. In this paper, we present a compact data structure for representing clock constraints. The data structure is based on an O(n ³) algorithm which, given a constraint system over real-valued variables consisting of bounds on differences, constructs an equivalent system with a minimal number of constraints. In addition, we have developed an on-the-fly reduction technique to minimize the space-usage. Based on static analysis of the control structure of a network of timed automata, we are able to compute a set of symbolic states that cover all the dynamic loops of the network in an on-the-fly searching algorithm, and thus ensure termination in reachability analysis. The two techniques and their combination have been implemented in the tool UPPAAL. Our experimental results demonstrate that the techniques result in truly significant space-reductions: for six examples from the literature, the space saving is between 75% and 94%, and in (nearly) all examples time-performance is improved. Noteworthy is also the observation that the two techniques are completely orthogonal.     

一种安全转移系统模型的构造及其运用

为提高安全性, 一般利用密码技术, 但系统运行过程的安全尚显不足, 为此基于行为时序逻辑TLA提出一种安全转移系统模型。通过设置安全属性, 构造安全行为, 使得系统在运行过程中的每次转移都满足安全属性, 从而提高过程的安全性。为此, 定义初始安全态、安全转移条件、安全状态、安全行为、安全运迹和安全转移系统, 并证明在安全转移系统中状态处处安全。安全转移系统中强调的是系统转移过程的安全性, 从而增强了系统运行的安全。通过实例的运用表明面向过程安全的建模为提高系统的安全性是有意义的。     

带有时钟变量的线性时序逻辑与实时系统验证

为了描述实时系统的性质和行为,10多年来,各种不同的时序逻辑,如Timed Computation Tree Logic,Metric Interval Temporal Logic和Real-Time Temporal Logic等相继提出来.这些时序逻辑适于表示实时系统的性质和规范,但不适于表示实时系统的实现模型.这样,在基于时序逻辑的实时系统的研究中,系统的性质和实现通常是用两种不同的语言来表示的.定义了一个带有时钟变量的线性时序逻辑(linear temporal logic with clocks,简称LTLC).它是由Manna和Pnueli提出的线性时序逻辑在实时情况下的一个推广.LTLC既能表示实时系统的性质,又能很方便地表示实时系统的实现.它能在统一的语义框架中表示出从高级的需求规范到低级的实现模型之间的不同抽象层次上的系统描述,并且能用逻辑蕴涵来表示不同抽象层次的系统描述之间的语义一致性.LTLC的这个特点将有助于实时系统的性质验证和实时系统的逐步求精.     

Efficient and Precise Cache Behavior Prediction for Real-Time Systems

Abstract interpretation is a technique for the static detection of dynamic properties of programs. It is semantics based, that is, it computes approximative properties of the semantics of programs. On this basis, it supports correctness proofs of analyses. It replaces commonly used ad hoc techniques by systematic, provable ones, and it allows for the automatic generation of analyzers from specifications by existing tools. In this work, abstract interpretation is applied to the problem of predicting the cache behavior of programs. Abstract semantics of machine programs are defined which determine the contents of caches. For interprocedural analysis, existing methods are examined and a new approach that is especially tailored for the cache analysis is presented. This allows for a static classification of the cache behavior of memory references of programs. The calculated information can be used to improve worst case execution time estimations. It is possible to analyze instruction, data, and combined instruction/data caches for common (re)placement and write strategies. Experimental results are presented that demonstrate the applicability of the analyses.     

短事务、强实时双机容错系统的研究

在军事、工业控制以及电子商务系统中存在着大量的高可用,短事务、强实时应用,在这些应用中,采用双机系统具有较高的性能价格比,如何保证双机系统的强实时性,高可用度和服务“不断流”,是其中的关键技术难题,文中着重论述了系统可用度,故障检测,结果判别和状态切换中的关键问题,在理论的指导下,给出上实现策略和实际测试数据,测试数据表明本方案完全满足系统的要求,并且在具体工程实践中得到了应用,取得了明显的效果。     

Efficient Verification of Parallel Real–Time Systems

This paper presents an efficient model checking algorithm for one–safe time Petri nets and a timed temporal logic. The approach is based on the idea of (1) using only differences of timing variables to be able to construct a finite representation of the set of all reachable states and (2) further reducing the size of this representation by exploiting the concurrency in the net. This reduction of the state space is possible, because the considered linear–time temporal logic is stuttering invariant. The firings of transitions are only partially ordered by causality and a given formula; therefore the order of firings of independent transitions is irrelevant, and only one of several equivalent interleavings has to be generated for the evaluation of the given formula. In this paper the theory of timing verification with time Petri nets and temporal logic is presented, a concrete model checking algorithm is developed and proved to be correct, and some experimental results demonstrating the efficiency of the method are given.     

异构分布式实时仿真系统的容错调度算法

异构分布式实时仿真系统是一类特殊的实时系统,基于改进的SP(spare processor)容错模型(checkpoint-based spare processor,简称CSP)对其容错问题进行了研究.首先,根据仿真系统的特点提出了两个命题,这是后续工作的基础;而后,基于Markov链对仿真任务的最坏反应时间进行了分析,并提出了仿真任务的可调度性分析规则;最后,基于CSP容错模型和上述可调度分析规则提出了异构分布式实时仿真系统的容错调度算法CSP-RTFT.算法的仿真结果表明:该算法较之基于SP模型的算法SP-RTFT可获得更好的稳定性、更高的任务接收率;缺点是资源利用率比PB模型下的算法要低.     

Model Checking for Combined Logics with an Application to Mobile Systems

In this paper, we develop model checking procedures for three ways of combining (temporal) logics: temporalization, independent combination, and join. We prove that they are terminating, sound, and complete, we analyze their computational complexity, and we report on experiments with implementations. We take a close look at mobile systems and show how the proposed combined model checking framework can be successfully applied to the specification and verification of their properties.     

An automated reasoning problem associated with proving claims about programs using Floyd-Hoare inductive assertion methods

Proving claims about behavior of software is essential for the qualification of computer-based systems used in the control of nuclear reactors. For this Problem Corner, we select one of the verification conditions for a C program that initializes an array to zero. We add assertions about the initial conditions and state of the program and about the expected behavior of the program in terms of its state. The modeling and specification technique is the inductive assertion technique of Floyd-Hoare. The program with assertions is then transformed by the source-to-source program transformation system TAMPR into a set of separate verification conditions to be proven by the automated reasoning system. Our experience with this program demonstrates the typical automated reasoning problems we have encountered and illustrates how we have approached solutions to the problems.Work supported by the Civilian Reactor Development Program and the Applied Mathematical Sciences Research subprogram of the Office of Energy Research, U.S. Department of Energy, under Contract No. W-31-109-ENG-38.     

Dependable, intelligent voting for real-time control software

An intelligent and dependable voting mechanism for use in real-time control applications is presented. Strategies proposed by current safety standards advocate N-version software to minimize the effects of undetected software design faults (bugs). This requires diversity in design but presents a problem in that truly diverse code produces diverse results; that is, differences in output values, timeliness and reliability. Reaching a consensus requires an intelligent voter, especially when non-stop operation is demanded, e.g. in aerospace applications. This paper, therefore, firstly considers the applicable safety standards and the requirements for an intelligent voter service. The use of replicated voters to improve reliability is examined and a mechanism to ensure non-stop operation is presented. The formal mathematical analysis used to verify the crucial behavioural properties of the voting service design is detailed. Finally, the use of neural nets and genetic algorithms to create N- version redundant voters, is considered.     

安全关键系统高可信保障技术的研究

1 引言安全关键系统SCS(Safety Critical Systems)是指系统功能一旦失效将引起生命、财产的重大损失以及环境可能遭到严重破坏的系统。这类系统广泛存在于航空航天、国防、交通运输、核电能源和医疗卫生等诸多安全关键领域中。而高可信(Ultradependability)则是指系统在任务开始时可用性给定的情况下,在规定的时间和环境内能够使用且能完成规定功能的能力,即系统“动则成功”的能力。随着现代社会的高速发展及不稳定因素的存在,安全关键系统日益庞大和复杂,带来了系统可靠性和安全性的下降、投资增加、研发周期加长、风险增加。安全关键系统的应用环境也更加复杂和恶劣,从陆地、海洋到天空、太空,安全关键系统的使用环境不断地扩展和更加严酷。严酷的环境对系统高可靠、高安全性等综合特性的实现提出了严峻的挑战。除此,系统要求的持续无故障任务     

面向能耗优化的容错实时系统任务调度模型研究

为了支持面向能耗优化的容错实时任务调度算法研究,提出一种频率相关的时间Petri网—FRTPN.FRTPN引入用于动态电压调整的变迁频率设置空间以及和频率相关的静态引发时域,以支持调度算法的能耗评估及优化;同时它增加一类抑制弧刻画容错故障恢复过程.通过对基于检查点的容错实时能耗优化任务调度进行建模证明了FRTPN的有效性.     

安全苛刻系统自动化测试的形式化语义模型

安全苛刻系统的可信性需求典型而迫切,其可信性评估和验证具有测试依赖性.安全苛刻系统一般是复杂系统,手工测试实际上不可行,发展自动化测试手段是必然趋势.针对安全苛刻系统测试过程自动化中存在的高阶协同、实时和时序性,以Ambient演算、CCS演算、论域理论等为基础,给出测试过程的高阶协同定义,建立一种层次化演算模型,为测试过程提供一种信息化和自动化手段.模型通过对被测产品、测试设备与测试任务的抽象与组织,给出安全苛刻系统测试过程自动化的工作模式.最后,通过扩展标记转换系统定义,给出高阶协同行为的收敛性和正确性的证明,论证了模型的可计算性,验证了安全苛刻系统测试的可自动化.模型已应用于航天器的自动化测试中,并成为航天器测试行为的日常工作规范.     

Observer‐based Fault Estimators Using Iterative Learning Scheme for Linear Time‐delay Systems with Intermittent Faults

This paper deals with the fault estimation problem for a class of linear time‐delay systems with intermittent fault and measurement noise. Different from existing observer‐based fault estimation schemes, in the proposed design, an iterative learning observer is constructed by using the integrated errors composed of state predictive error and tracking error in the previous iteration. First of all, Lyapunov function including the information of time delay is proposed to guarantee the convergence of system output. Subsequently, a novel fault estimation law based on iterative learning scheme is presented to estimate the size and shape of various fault signals. Upon system output convergence analysis, we proposed an optimal function to select appropriate learning gain matrixes such that tracking error converges to zero, simultaneously to ensure the robustness of the proposed iterative learning observer which is influenced by measurement noise. Note that, an improved sufficient condition for the existence of such an estimator is established in terms of the linear matrix inequality (LMI) by the Schur complements and Young relation. In addition, the results are both suit for the systems with time‐varying delay and the systems with constant delay. Finally, three numerical examples are given to illustrate the effectiveness of the proposed methods and two comparability examples are provided to prove the superiority of the algorithm.