面向组合式软件功能正确性和非功能满足性的统一建模方法

在Internet动态、开放、异构、多变的环境下,组合式软件不仅要满足功能正确,非功能(时间、代价、概率等)属性的满足也日益成为一个重要的问题。在组合式软件的设计阶段,建立组合式软件功能和非功能的统一模型并验证其功能正确性和非功能满足性,是确保组合式软件可信性的重要手段。在UML序列图的基础上进行时间、代价、概率属性的扩展,提出了一种可对组合式软件的交互行为及其时间、代价、概率属性统一建模的属性序列图,该属性序列图以两层模式进行建模,其中基本属性序列图可对涉及时间、代价属性的具体交互场景建模,高层属性序列图通过概率合成基本属性序列图可形成全局场景。给出了针对BPEL4WS的建模实例以说明所提建模方法的有效性。     

处理器容错技术研究与展望

随着生产工艺的进步和硅形体尺寸的缩小,计算机系统面临着前所未有的瞬态故障影响,可信计算已经成为桌面级和嵌入式系统设计和应用的热点,其中以处理器的可信设计为核心.首先,从容错技术角度对处理器提出了一种新颖的、比较全面的分类方法;在此基础上,以处理器容错技术发展趋势为线索,对目前流行的处理器结构、微结构的容错机制和容错技术以及不同层次上有代表性的最新研究成果做了介绍和分析;最后,对处理器容错技术研究新趋势及其发展方向提出了意见和建议.     

基于CORBA的分布对象容错机制研究与实现

一、引言目前,以CORBA为代表的分布对象计算技术已日趋成熟,越来越多的分布式应用系统利用CORBA提供的标准服务和协议来实现。基于CORBA的新一代的分布式系统,如分布式实时控制系统、在线支付系统和股票交易系统,需要可靠性保证。容错技术是分布式系统运行过程中可靠性保证的重要手段,可以在分布式系统的每一个层次实现,利用底层的CORBA基础设施提供容错机制具有显著的优势,既能够避免系统层为支持容错而做的巨大改变,又能够简化应用软件的设计。因此,容错CORBA已经成为国外CORBA研究的重     

Dependability in peer-to-peer systems

Server-centric architectures such as the Web's suffer from well-known problems related to application size and increasing user requests. Peer-to-peer systems can help address some of the key challenges, but this survey of several current P2P systems shows that dependability remains an open issue. To perform in Internet-scale applications, P2P systems must address the four major properties of dependable systems: scalability, fault-tolerance, security, and anonymity. An output of the comparison provided is an attempt to move toward common terms and definitions. Because the models underlying current P2P systems must be understood to support a thorough investigation of dependability properties, we briefly examine the most popular P2P systems and then compare how these systems address dependability.     

Dependability evaluation of hierarchical systems

Hierarchical design represents a natural solution for managing the growing complexity of computing systems. This leads to systems that are hierarchically structured from a logical or physical viewpoint. Because of the inherent complexity of such systems, the incorporation of fault-tolerance features is highly recommended, to achieve the required dependability level. Hence, it is important to develop evaluation tools that allow to analyse the effectiveness of different fault-tolerance mechanisms. We present a systematic procedure for the construction and evaluation of Markov models for transient dependability analysis, which fully exploits the hierarchical structure of the system under evaluation. A thorough time/space complexity analysis of the proposed procedure shows that it allows a considerable time and space saving with respect to a naive approach to the same problem.Work partially supported by CNR, Progetto Finalizzato Sistemi Informatici e Calcolo Parallelo, under grant no. 91.00905 PF96, and by MURST, Progetto 40% Performability di sistemi distributi e paralleli     

一种高可用性冗余集群的关键技术及可信性分析

介绍了高可用性冗余集群系统的一些关键技术,提出了一种基于任务表的自适应容错算法,对算法的设计思想和具体实现进行了详细阐述。最后建立了系统随机Petri-net模型,对系统进行可信性分析,经计算分析表明系统满足实际高可用性要求。     

A dependability profile within MARTE

The importance of assessing software non-functional properties (NFP) beside the functional ones is well accepted in the software engineering community. In particular, dependability is a NFP that should be assessed early in the software life-cycle by evaluating the system behaviour under different fault assumptions. Dependability-specific modeling and analysis techniques include for example Failure Mode and Effect Analysis for qualitative evaluation, stochastic Petri nets for quantitative evaluation, and fault trees for both forms of evaluation. Unified Modeling Language (UML) may be specialized for different domains by using the profile mechanism. For example, the MARTE profile extends UML with concepts for modeling and quantitative analysis of real-time and embedded systems (more specifically, for schedulability and performance analysis). This paper proposes to add to MARTE a profile for dependability analysis and modeling (DAM). A case study of an intrusion-tolerant message service will offer insight on how the MARTE-DAM profile can be used to derive a stochastic Petri net model for performance and dependability assessment.     

Toward automated feature model configuration with optimizing non-functional requirements

ContextA software product line is a family of software systems that share some common features but also have significant variabilities. A feature model is a variability modeling artifact, which represents differences among software products with respect to the variability relationships among their features. Having a feature model along with a reference model developed in the domain engineering lifecycle, a concrete product of the family is derived by binding the variation points in the feature model (called configuration process) and by instantiating the reference model.ObjectiveIn this work we address the feature model configuration problem and propose a framework to automatically select suitable features that satisfy both the functional and non-functional preferences and constraints of stakeholders. Additionally, interdependencies between various non-functional properties are taken into account in the framework.MethodThe proposed framework combines Analytical Hierarchy Process (AHP) and Fuzzy Cognitive Maps (FCM) to compute the non-functional properties weights based on stakeholders’ preferences and interdependencies between non-functional properties. Afterwards, Hierarchical Task Network (HTN) planning is applied to find the optimal feature model configuration.ResultOur approach improves state-of-art of feature model configuration by considering positive or negative impacts of the features on non-functional properties, the stakeholders’ preferences, and non-functional interdependencies. The approach presented in this paper extends earlier work presented in [1] from several distinct perspectives including mechanisms handling interdependencies between non-functional properties, proposing a novel tooling architecture, and offering visualization and interaction techniques for representing functional and non-functional aspects of feature models.Conclusionour experiments show the scalability of our configuration approach when considering both functional and non-functional requirements of stakeholders.     

Fault injection for dependability validation: a methodology andsome applications

The authors address the problem of validating the dependability of fault-tolerant computing systems, in particular, the validation of the fault-tolerance mechanisms. The proposed approach is based on the use of fault injection at the physical level on a hardware/software prototype of the system considered. The place of this approach in a validation-directed design process and with respect to related work on fault injection is clearly identified. The major requirements and problems related to the development and application of a validation methodology based on fault injection are presented and discussed. Emphasis is put on the definition, analysis, and use of the experimental dependability measures that can be obtained. The proposed methodology has been implemented through the realization of a general pin-level fault injection tool (MESSALINE), and its usefulness is demonstrated by the application of MESSALINE to the experimental validation of two systems: a subsystem of a centralized computerized interlocking system for railway control applications and a distributed system corresponding to the current implementation of the dependable communication system of the ESPRIT Delta-4 Project     

移动Agent的一种支持安全与容错的迁移机制

移动Agent计算模式将成为未来网络计算的主流模式。移动Agent的迁移机制是其技术核心之一,受到了广泛的关注。为了提高移动Agent迁移的可靠性和安全性,提出一种支持安全与容错的迁移机制。该机制利用结构化迁移机制寻址,并引入分布式事务、可靠认证与加密等机制,使得移动Agent在迁移过程中能有效保护主机与移动Agent的安全性,并提供容错支持。     

A Framework for Adaptive Fault-Tolerant Execution of Workflows in the Grid: Empirical and Theoretical Analysis

In this paper, we propose and evaluate a framework for fault tolerant workflow execution in Grid environments. Different from previous work in the literature, our system dynamically chooses an appropriate fault tolerance technique while using a user-defined rule-based system. We also provide a generic interface that can be used to add fault tolerance techniques to the framework. The results obtained with real workflows in an experimental Grid environment show that the overhead introduced by our framework in a failure-free execution is, in the worst evaluated case, approximately 10 %. Moreover, we show that, using our framework, workflows are able to execute successfully in the presence of failures and that the framework can dynamically choose an appropriate fault tolerance technique. The main contributions of our work are twofold: the developed framework and the model-based dependability analysis we performed on it. The purpose in carrying out a model-based dependability analysis consists on evaluating the interaction between our framework and the distributed Grid environment beyond the physical limitations of an empirical evaluation. By doing this, we provide means to plan the assurance of QoS in the Grid resource allocation, while applying the fault-tolerance mechanisms we implement in our framework regardless of the underlying middleware.     

An integrated security-aware job scheduling strategy for large-scale computational grids

All existing fault-tolerance job scheduling algorithms for computational grids were proposed under the assumption that all sites apply the same fault-tolerance strategy. They all ignored that each grid site may have its own fault-tolerance strategy because each site is itself an autonomous domain. In fact, it is very common that there are multiple fault-tolerance strategies adopted at the same time in a large-scale computational grid. Various fault-tolerance strategies may have different hardware and software requirements. For instance, if a grid site employs the job checkpointing mechanism, each computation node must have the following ability. Periodically, the computational node transmits the transient state of the job execution to the server. If a job fails, it will migrate to another computational node and resume from the last stored checkpoint. Therefore, in this paper we propose a genetic algorithm for job scheduling to address the heterogeneity of fault-tolerance mechanisms problem in a computational grid. We assume that the system supports four kinds fault-tolerance mechanisms, including the job retry, the job migration without checkpointing, the job migration with checkpointing, and the job replication mechanisms. Because each fault-tolerance mechanism has different requirements for gene encoding, we also propose a new chromosome encoding approach to integrate the four kinds of mechanisms in a chromosome. The risk nature of the grid environment is also taken into account in the algorithm. The risk relationship between jobs and nodes are defined by the security demand and the trust level. Simulation results show that our algorithm has shorter makespan and more excellent efficiencies on improving the job failure rate than the Min–Min and sufferage algorithms.     

基于马尔可夫模型的可信性评估研究

研究了安全关键实时系统传统的高可信保障机制,提出了一种可支持多级关键度的新可信性保障机制。使用该机制则可根据各子系统的实际可信性需求采用相应的冗余数进行容错处理。为评估该可信性保障机制,改进了传统的多模型可信性评估方法。基于马尔可夫模型,文章建立了一种统一的可信性评估模型,使用该模型则可按不同关键度子系统的实际可信性需求进行独立的评估。同时,该文使用了大量的实例进行例证。     

Fault-tolerant computing: fundamental concepts

The basic concepts of fault-tolerant computing are reviewed, focusing on hardware. Failures, faults, and errors in digital systems are examined, and measures of dependability, which dictate and evaluate fault-tolerance strategies for different classes of applications, are defined. The elements of fault-tolerance strategies are identified, and various strategies are reviewed. They are: error detection, masking, and correction; error detection and correction codes; self-checking logic; module replication for error detection and masking; protocol and timing checks; fault containment; reconfiguration and repair; and system recovery     

基于验证的自适应系统决策:一种模型驱动的方法

自适应系统需要根据运行时上下文和自身的变化进行其行为的调节.为实现自主调节,自适应系统必须被赋予运行时监测上下文和自身变化,分析需求满足程度的变化,以及推理得到自适应决策的能力.这种在线决策的行为在满足功能需求的同时,还需要保证系统满足特定的非功能需求,如可靠性和性能等.本文提出了一种基于验证的自适应系统优化决策方法,以保证非功能需求的满足.该方法在识别可调节目标以建模自适应机制的同时,将系统的目标模型映射为相应的行为模型,用标签转移系统表示;以可靠性需求为例,用标记目标模型规约任务的可靠性;然后将系统行为模型和可靠性规约整合为带可变状态的离散时间马尔可夫链,将候选自适应配置描述为不同可变状态间的组合;最终通过相关需求的在线验证,使系统找到关于某类上下文的最优决策配置.本文通过一个移动信息系统的案例展示了该方法的可行性和有效性.     

增强计算系统可信赖性:融合虚拟化和SOA

随着计算机软、硬件技术的不断进步和应用需求的日益增长,以计算机为中心的计算系统的应用范围越来越广,其复杂程度也在迅速提高,人们对如何评估和提高计算系统的可信赖性的需求日益迫切.首先给出了计算系统的可信赖性的定义,并系统地定义了一整套量化评价指标;同时,对计算系统面临的各种可信赖性威胁进行了详细的归类分析.传统的方法难以应对复杂系统面临的各种可信赖性问题,人们仍在不断地寻求新的技术.虚拟化技术在这种应用背景下走向复兴,成为一大研究热点.介绍了已有的虚拟化技术在增强系统可信赖性上相关的研究成果,并且总结了虚拟化技术在增强系统可信赖性方面的各种特性和机制.然而由于现有的计算系统体系结构的限制,难以将虚拟化技术在增强系统可信赖性方面的优势充分地发挥出来.面向服务的体系结构(service oriented architecture,简称SOA)以其松散耦合、平台无关性等特点很好地适应了虚拟化技术的需求.因此,最后将SOA 和虚拟化技术相结合,提出了一种增强计算系统可信赖性的系统架构,即面向服务的虚拟化SOV(service oriented virtualization),并且分析了SOV 系统如何在遭受各种可信赖性威胁时,运用体系结构优势和虚拟化技术的各种机制保证系统可信赖性.     

SPL Conqueror: Toward optimization of non-functional properties in software product lines

A software product line (SPL) is a family of related programs of a domain. The programs of an SPL are distinguished in terms of features, which are end-user visible characteristics of programs. Based on a selection of features, stakeholders can derive tailor-made programs that satisfy functional requirements. Besides functional requirements, different application scenarios raise the need for optimizing non-functional properties of a variant. The diversity of application scenarios leads to heterogeneous optimization goals with respect to non-functional properties (e.g., performance vs. footprint vs. energy optimized variants). Hence, an SPL has to satisfy different and sometimes contradicting requirements regarding non-functional properties. Usually, the actually required non-functional properties are not known before product derivation and can vary for each application scenario and customer. Allowing stakeholders to derive optimized variants requires us to measure non-functional properties after the SPL is developed. Unfortunately, the high variability provided by SPLs complicates measurement and optimization of non-functional properties due to a large variant space. With SPL Conqueror, we provide a holistic approach to optimize non-functional properties in SPL engineering. We show how non-functional properties can be qualitatively specified and quantitatively measured in the context of SPLs. Furthermore, we discuss the variant-derivation process in SPL Conqueror that reduces the effort of computing an optimal variant. We demonstrate the applicability of our approach by means of nine case studies of a broad range of application domains (e.g., database management and operating systems). Moreover, we show that SPL Conqueror is implementation and language independent by using SPLs that are implemented with different mechanisms, such as conditional compilation and feature-oriented programming.     

Specifying redundancy tactics as crosscutting concerns using aspect-oriented modeling

Various redundancy tactics can be modeled at the design stage of safety-critical systems thereby providing a set of fault-tolerance guidelines for subsequent development activities. However, existing approaches usually interweave redundancy tactics into the functional models making them complex and cluttered; the maintenance of such models is time-consuming and error-prone. To address this problem, we provide a modeling approach to separate the redundancy tactics from the base functional models using aspect-oriented modeling. More specifically, the conceptual models of the redundancy tactics and their semantic constraints are first defined for deriving the relevant aspects. Subsequently, a UML profile is proposed to specify the tactic aspects followed by mapping these concepts to the corresponding concepts of aspect-oriented modeling based on pre-defined principles. In accordance with our proposed profile, reuse directives are applied to handle the overlap of structural features between redundancy tactics and other kinds of tactic. Based on our tactic aspects and their configured attributes, a weaving algorithm is proposed to associate the tactic aspects with the base functional models. The proposed approach is compared with a traditional tactic modeling approach using two safety-critical systems, revealing that: 1) our approach significantly reduces the number of extra model elements needed in the tactic design stage; 2) our approach can largely avoid the impact of changing of the base functional model as the model evolves.     

Tool Support for Refinement of Non-functional Specifications

Model driven architecture (MDA) views application development as a continuous transformation of models of the target system. We propose a methodology which extends this view to non-functional properties. In previous publications we have shown how we can use so-called context models to make the specification of non-functional measurements independent of their application in concrete system specifications. We have also shown how this allows us to distinguish two roles in the development process: the measurement designer and the application designer. In this paper we use the notion of context models to allow the measurement designer to provide measurement definitions at different levels of abstraction. A measurement in our terminology is a non-functional dimension that can be constrained to describe a non-functional property. Requiring the measurement designer to define transformations between context models, and applying them to measurement definitions, enables us to provide tool support for refinement of non-functional constraints to the application designer. The paper presents the concepts for such tool support as well as a prototype implementation.     

UML类图中面向非功能属性的描述和检验

为系统构建模型是软件开发中的一项关键活动.一个高质量的模型不仅要包含系统的功能属性,即系统能够做什么,同时还应包含系统的非功能属性,即系统的质量如何.目前,通用的建模方法和工具对功能属性建模支持良好,而对如何为非功能属性建模关注得不多,特别是如何将二者统一起来并对描述的非功能属性的有关性质进行检验.通过在UML类图中增加非功能属性标注和约束关系表等建模元素来扩展UML类图,使其能够描述非功能属性.在此基础上,又提供了对扩展UML类图中非功能属性的一致性和可满足性进行检验的方法.通过实例对上述的面向非功能属