# 软件可靠性方法 学习笔记

## 软件可靠性方法

English: Software Reliability Methods

Doron A.Peled

http://u.cs.biu.ac.il/~doronp/srm.html

## 前言

• 如果没有直接使用相关工具的实际经验，对形式化方法的学习就是不完整的。
• 学习形式化方法并且了解其优点和缺陷的一个有效方法是跟踪理解这些跨章节的实例

## 第1章　引言

### 1.1　形式化方法

• 正确性：系统是否满足客户的规约
• 系统vs规约
• deductive software verification
• 不变式：正确性断言
• model checking: FSM
• 软件测试

• 规约
• 验证
• 测试

### 1.3　使用形式化方法

• 获得关于一个系统共同的、形式化的描述。形式化规约（specification）允许参与开发的不同小组共同使用对系统或其属性的一致描述。
• 研究形式化方法的目的是找出系统开发过程中引入的错误
• 可将形式化方法集成到开发过程中，并起到辅助作用。

### 1.4　应用形式化方法

• 状态空间爆炸
• 可组合：先对系统各部分单独验证，再推断系统整体可靠性

• loigc
• FSM

## 第2章　预备知识

### 2.3　图 Turning Machine

• 确定性模型
• 非确定性模型

- 空间/时间
- 度量（多项式，指数）
- 确定性/非确定性

## 第3章　逻辑和定理证明

• 语法：规定如何写合法/良序的公式
• 语义：规定每个公式的明确含义

### 3.1　一阶逻辑

first order loigc

• domain
• codomain

• first order: 公式中所有变元的值域为一常量domain

• second order: 变元可为简单变元或集合变元

### 3.2　项(term)

signature G=(V,F,R)$G = (V,F,R)$

• 集合V,F,R两两不相交
• V：变元集合
• F：函数集合
• R：关系集合

sine()函数的元数为1

BNF
term:=var|const|func(term,...terms)$term:= var | const | func(term,...terms)$

• var: 变元
• func：函数
• const：常量

• G=(V,F,R)$G = (V,F,R)$: signature
• D: 论域
• F：函数集合
• R：关系集合
• 映射fFRFR$f：F \cup R \rightarrow F \cup R$:

Examples:

• 符号sub: 可由f映射到整数域的减法
• +：+本身只是一个语法对象，通过f映射赋予加法含义

#### 3.2.1　赋值和解释

assignment: 将变元集合V中变元映射到论域D中值，记作: α:VD$\alpha: V \rightarrow D$

Examples:

• term(G): signature G上所有项。
• Tα:term(G))D$T_\alpha: term(G)) \mapsto D$: 语义解释(semantic interpretation),将每个项映射为论域中值。

{Tα(v)=α(v),vVTα(func(e1,,en))=f(func)(Tα(e1),,Tα(en))

Example:

### 3.3　一阶公式

simpform::=rel(term,term,...,term)|termterm$simp_form ::= rel(term, term, ..., term) | term \equiv term$

• rel: 关系符号
• $\equiv$: 等于

the semantic of quantified formulas is defined as follows:

### 3.4　命题逻辑 ### 3.5　证明一阶逻辑公式

??

When  for every strucuture $\Gamma \models^{S} \varphi$, we say $\varphi$ follow from $\Gamma$,
and write $\Gamma \models \varphi$.

a proof system

• a set of axioms
• every axiom is a equation template
• proof rules
• includes premise and consequent

### 3.6　证明系统的属性

Fermat’s conjecture:

#### 3.6.4　结构完备性

• Presburger Arithmetic
• 皮亚诺算术（Peano Arithmetic）

PVS system

type system

## 第4章　软件系统建模

the aim of modeling is to reduce the checked system.

## 4.1　顺序系统、并发系统及反应式系统

• sequential system

• concurrent system

• reactive system

Example:(distributed systems): a specification of airline
reservation system.

• autonomous
• coordinate

non-determinism:

the following are some of the topics one may consider when modeling software system.

• Representing system
• Granularity
• The execution model
• Global and local state

## 4.2　状态

• initial states
• final states

## 4.3　状态空间

transition system

• interleaving model

Question:
In reality, transitions among different processes maybe overlapped
in time. How does the interleaving model to deal with it?

• communtative

## 4.4　转换系统

Formally, a transition system (S,T,)$(S,T,)$ is defined as follows:

• A first order structure S

• An execution of a system is a sequence of states.

A nondetermined scheduler • fairness

LTL

## 4.11　分支视角

CTL

• linear view vs. branching view
• closed system
• open system

## 4.12　公平性

fairness: refer to semantic constraints imposed on interleaved
executions of concurrent systems.

fairness assumption: to rule out infinite executions that
are unreasonable for architecture of systems.

• weak process fairness
• strong
• weak transition fairness
• strong

To demonstrate this, and some of the above fairness conditions,
consider a program with two processors P1$P_1$ and P2$P_2$. • Question: how to select a certain fairness? ## 4.13　偏序视角

### 4.13.1　一个银行系统的例子

the criticism of the interleaving model:

• not distinguish between nondeterministic choice and concurrency
• need the global states of the entire system.

to relate the partial order execution model to concurrent software,
observe that concurrent programs usually have a number of
components, each having its own local state space.

For example, we may have a separate component for each

• processor Pi$P_i$ (including the set of variables that can be used or changed only by Pi$P_i$)
• global variables, or
• message queue

### 4.13.2　线性化和全局状态

the linearization of partial order

• CCS, LOTOS
• promela

## 第5章　形式化规约

• 相关联
• 相制约

between client and developers.

### 5.1　规约机制的属性

A specification needs to be precise and has a unique and agreed upon
interpretation. Therefore, a specification formalization is required to have
a well-defined syntax and precise semantics.

Question: Does the system satisfy its specification?

• effective: is there a way to check or verify that a system is consistent with its sepcification?
• expressiveness:

trade off: effective vs. expressiveness -> no sliver bullet

• linear temporal logic
• automata

### 5.2　线性时序逻辑

modal logic

the syntax of LTL: the semantic of LTL: the modal operator:

• nexttime
• eventually
• always
• until
• release ### 5.3　公理化LTL

the axiomatization includes three parts
- the first part consists of eight axioms: • the second part consists of a sound and complete axiomatization for propositional logic.

• the proof system also includes the proof rule:

### 5.4　LTL规约示例

?

#### 5.4.4　公平性条件

• Weak transition fairness
• Strong

### 5.5　无限字上的自动机

ω$\omega$ automata: finite automata over infinite words.

ω$\omega$ regular language:

Bu¨chi$B \ddot{u} chi$ automata: ?

büchi自动机 wiki

### 5.11　扩展阅读

• automata of infinite objects

## 第6章　自动验证

Model checking: the algorithmic verification of programs against temporal logic specification. • DFS
• BFS

### 6.1　状态空间搜索

• It is important to represent each state with enough information
that will allow us to calculate the successors with respect to
the enabled transitions.
• It is also important to be able to distiguish each state from other, different states.

### 6.2　状态表示方法

a typical state representation:

### 6.3　自动机结构体系

Buchi automata

the question in the next section: Buchi automata are closed
under intersection, union and complementation.

### 6.4　合并Büchi自动机

An important property for a specification formalism is its closure
under the Boolean operators and, or and not.

### 6.8　将LTL转换为自动机

question: how to translate LTL into generalized Buchi automata safety property

### 6.13　状态空间爆炸问题

• Binary Decision Diagram
• Partial Order Reduction
• Symmetry

## 第7章　演绎式软件验证

### 7.1　流程图程序的验证

Floyd

a flowchart has four kinds of nodes (see Figure 7.1)

• An oval
• An oval
• A parallelogram
• A rhombus • initial condition
• final assertion
• precondition
• postcondition

partial correctness: {φ}P{ψ}$\{ \varphi \} P \{ \psi \}$

• φ$\varphi$
• P
• ψ$\psi$

total correctness:

7.2.1　含数组变量赋值的问题
7.2.2　修改证明系统

### 7.3　完全正确性

prrtially ordered domain:

example:

• 整数集 大于关系 >

well founded domain: a partially ordered domain that
contains no infinite decreasing sequence, i.e.,
no sequence of the form w0>w1>>wn>$w_0 > w_1 > \dots > w_n > \dots$

### 7.4　公理式程序验证

Hoare Axiom

#### 7.4.1　赋值公理

It takes the postcondition , describing states after the
execution of the assignment , and translates it to the
corresponding precondition, stated in terms of the
variables before the assignment。

{φ[e/v]}v:=e{ψ}

## 第8章　进程代数与等价关系

process algebras are formalisms for modelling the behavior of systems. nondeterministic choice

Since process algebra usually deals with the issues of comparing
different systems, choosing right corresponding criteria
between system is of great importance.

• Minlner
• Hoare
• Park

### 8.1　进程代数

agent: an abstract description of a system.

the main research contents of process algebra:

• define agent: how its evolve
• define various operators
• define the interaction among operators

another important ingredient of process algebra: a collection of comparsion criteria,
i.e., equivalence relations between agents.

In process algebra, there is usually no explicit notation of a state as
a mapping from variables to values.

process algebra is focus on the the actions of a system,
rather than its states.

• co-action: a¯¯$\bar{\bar{a}}$
• invisible(silent,internal)

• event: E1αE2$E_1 \overset{\alpha }{\rightarrow} E_2$

• enabled
• Graph vs configuration

• extended event:E1αE2$E_1 \overset{\alpha }{\Rightarrow} E_2$

• diverge:

### 8.2　通信系统的演算

CCS

the agents can be defined in BNF as follows: #### 8.2.1　动作前缀

α.EαE$\alpha .E \overset{\alpha }{\rightarrow} E$

#### 8.2.2　选择

EαEE+FαE$\frac{E \overset{\alpha }{\rightarrow} E'}{ E+ F \overset{\alpha }{\rightarrow} E'}$

FαFE+FαF$\frac{F \overset{\alpha }{\rightarrow} F'}{ E+ F \overset{\alpha }{\rightarrow} F'}$

#### 8.2.4　限制符

EαE,α,α¯RERαER$\frac{E \overset{ \alpha }{\rightarrow} E', \alpha,\bar{\alpha } \notin R }{E \setminus R \rightarrow \overset{\alpha }{\rightarrow} E' \setminus R }$

#### 8.2.6　等式定义

how the event α||Aβα||(α||A)$\alpha || A \overset{\beta }{\rightarrow} \alpha || (\alpha || A )$ is derived from the the axiom and rules. #### 8.2.7　agent 0

Figure 8.3 describes the graph of agent α.(β.(δ||δ¯)+γ)$\alpha .(\beta .(\delta || \bar{\delta }) + \gamma )$. #### 8.2.8　传值agent

example: buy(x).(insure¯¯¯¯¯¯¯¯¯¯(x).(drive¯¯¯¯¯¯¯¯(x)))$buy(x).(\overline{insure}(x).(\overline{drive}(x)))$

### 8.5　agent之间的等价性

the hierarchy (a partial order) of different equvalence

#### 8.5.1　迹等价

trace: a finite sequence of actions executed by a given agent.

T(E)$T(E)$: the set of all the traces that can be performed from an agent E.

#### 8.5.2　失败等价

a failure of an agent E:

Let Fail(E) be the set of failures of agent E. If Fail(E) = Fail(F),
say that E and F are failure equivalent.

### 8.6　等价关系的层级

Figure 8.10 depicts the hierarchy of equvalences. ### 8.8　计算互模拟等价

• start by constructing the state space <S,Δ>$$
• where S is the finite set of agents that can be evolved from either E or F (thus E,FS$E,F \in S$).
• Δ$\Delta$ is the transition relations between agents, i.e., ΔS×(Act{τ})×S$\Delta \subset S \times (Act \cup \{\tau \}) \times S$
• The algorithm repeatly partitions the states of S into the disjoint subsets

the partition algorithm is as follows: ### 8.9　LOTOS

Language of Temporal Ordering Specification.

In Lotos, agents are called processes, a process is defined as follows:


process process_name [action_list] :=
behavior_expression
end proc


differ from CCS, Lotos does not contains co-action.

LOTOS provides three kinds methods to merge concurrent processes:

• Full synchronization
• Pure interleaving
• Selective synchronization

• enabling operator

• disruption operator
• hide

## 第9章　软件测试

the levels of tesing:

• unit testing
• integration
• system
• acceptance
• regression

• white box

• black box

## 9.2　控制流覆盖准则

#### 9.2.7　不同覆盖准则的比较 ## 9.3　数据流覆盖准则

the hierarchy of dataflow coverage criteria markov chain

## 第10章　组合形式化方法

• automatic verification: state explosion
• theorem proving: slow and require human skills

### 10.1　抽象

• Proving the essential properties are preserved between
the original system and its simple version.
• Proving the correctness of the simplified version.

abstract: reduce a system of infitine state to a finite state one.

• fail to find a appropriate abstraction
• or fail to formally prove the correspondence between
the original system and its abstract version. Consider a concrete transition system P (its structure will be given later)
whose state space is AP={S,}$A^P = \{S, \}$

two simultion relations:

• a forward simulation
• a backward simulation

The forward simulation relation R$R$ must satisfy the following conditions

• For each initial state

### 10.2　组合测试与模型检验

#### 10.2.3　组合锁自动机

combination lock automata

Figure 10.4 gives a combination lock automata for n =5. 10.2.4　黑盒死锁检测

#### 10.2.5　一致性测试

Calculating distinguishing sequence

distiguishing set: ds(C)={dist(s,r)|sCrC}$ds(C) = \{ dist(s,r) | s \in C \vee r \not\in C \}$

10.2.7　黑盒检验

### 10.3　净室方法

cleanroom method

Reference: 《零缺陷程序设计》

10.3.1　验证
10.3.2　证明审查
10.3.3　测试

## 第11章　可视化

UML

SCADE Suite建模语言为 SSM（Graphical Esterel） + Lustre

• automata
• flowchart

### 11.2　消息序列图

Message Sequence Chart(MSC)

• UML user case
• communication protocol

the goal of MSC: to describe scenario involving processes communication.

It can be used to denote the communication structure of typical or exceptional executions of a system,
or a counterexample found during testing or model checking.

Figure 11.1 and 11.2 show corresponding graphical and
textual representation of an MSC.  tools:
- an analyzer for message sequence charts

MSC semantics: partically ordered set of events (偏序集)

The sematics of an MSC dependes on the architectural parameters;
it can differ between architectures with fifo (first-in, first out) or
non-fifo queues, or between architectures with one or
multiple incoming message queues.

Each MSC corresponds to a graph (S,<)$(S, <)$, its semantic interpretation
that assumes that for a pair of MSC events p,qS$p,q \in S$,
p<q$p < q$ means p precedes q:

• Causality: A send p and its corresponding receive q
• Controlability: the event p appears above q on the same process line,
and q is send event.
• FIFO order: The receive event p appears above the receive events q on the same process line,
and the corresponding send events p’, q’ appear on a mutal process line,
where p’ is above q’.

Notices: Controlability

the figure 11.1 describes an interaction between three processes,
P1,P2 and P3. verification algorithms for MSC：

• race condition

Race: a pair of MSC events p,q such that

• p and q appear on the same process line
• p appear above q, and
• there is no path from p to q in the graph (S,<)

HMSC(Highlevel Message Sequence Chart) the specification of MSC is a template, denoting a set of events
(sending and receiving of message) and their relative order;

An example of a template and a matching MSC scenario appears in
Figure 11.5. In both charts, there are three processor, P1, P2 and P3.
The result of this match is that s2$s_2$ is paired with σ1$\sigma_1$,
r2$r_2$ with ρ1$\rho_1$, s1$s_1$ with σ3$\sigma_3$, and r1$r_1$ with ρ3$\rho_3$. ### 11.3　可视化流程图和状态机 Figure 11.6 represents the flowchart of the process mutex()
form the following attempt at solving the mutual exclusion: ### 11.4　层次状态图

limitations

• State graphs are flat
• State graphs represent a global view of the modeled system
• Due to the flat structure and global view, the state space is usually enormous
• The simplistic structure of graphs may introduce unnecessary redundancy

hierarchical state graphs -> STATECHART

#### 11.4.1　层次化状态

• A state can cluster together a subgraph

In Figure 11.7, the state C contains a subgraph which consists of
the states A and B. #### 11.4.2　统一的出口和入口

A transition from a superstate replaces a transition from
any of the substate that are included within it.

in Figure 11.8, #### 11.4.3　并发

A superstate can contains several concurrent components

In Figure 11.9, superstate S incliudes two concurrent components,
C and F #### 11.4.4　输入和输出

STATECHARTS are intended especially for specifying reactive system.

• en(T)
• ex(T)
• in(T)

### 11.6　Petri网

• place
• transition: bar

• -

## 参考文献

11-13 41

#### 《软件可靠性方法》笔记（一）---第二章 预备知识 11-23 130

#### 软件与硬件可靠性笔记

07-17 8470

#### 提高软件可靠性的方法和技术

05-27 123

#### 软件可靠性及其验证 ©️2020 CSDN 皮肤主题: 大白 设计师: CSDN官方博客 点击重新获取   扫码支付 1.余额是钱包充值的虚拟货币，按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载，可以购买VIP、C币套餐、付费专栏及课程。 余额充值