软件可靠性方法 学习笔记

软件可靠性方法

English: Software Reliability Methods

Doron A.Peled

http://u.cs.biu.ac.il/~doronp/srm.html

中文版序

形式化方法的研究牵涉了数学、计算机科学中的不同领域。本书中描述的主要技术是基于自动机理论和逻辑。
而形式化方法、技术和工具中还用到一些更深的思想,比如机器学习、微分方程、数据结构、博弈论等。
经过对其多年的研究,我已经确信这是最有意思的研究领域。

译者序

英文版序

前言

  • 如果没有直接使用相关工具的实际经验,对形式化方法的学习就是不完整的。
  • 学习形式化方法并且了解其优点和缺陷的一个有效方法是跟踪理解这些跨章节的实例

第1章 引言

软件开发过程中的质量控制

1.1 形式化方法

演绎软件验证(deductive software verification)

  • 正确性:系统是否满足客户的规约
    • 系统vs规约
    • deductive software verification
    • 不变式:正确性断言
  • model checking: FSM
  • 软件测试

1.2 开发与学习形式化方法

  • 规约
  • 验证
  • 测试

1.3 使用形式化方法

  • 获得关于一个系统共同的、形式化的描述。形式化规约(specification)允许参与开发的不同小组共同使用对系统或其属性的一致描述。
  • 研究形式化方法的目的是找出系统开发过程中引入的错误
  • 可将形式化方法集成到开发过程中,并起到辅助作用。

1.4 应用形式化方法

  • 状态空间爆炸
  • 可组合:先对系统各部分单独验证,再推断系统整体可靠性

1.5 本书概要

  • loigc
  • FSM

第2章 预备知识

2.1 集合表示法

2.2 字符串和语言

2.3 图

图2.1中表示的是有向图的一个例子。节点的集合是{r1,r2,…,r9}。
所有的边如下:{(r1,r2),(r2,r3),(r3,r1),(r2,r5),(r3,r4),(r4,r4),(r5,r6),

2.4 计算复杂度和可计算性

Turning Machine

  • 确定性模型
  • 非确定性模型

复杂度指标
- 空间/时间
- 度量(多项式,指数)
- 确定性/非确定性

2.5 扩展阅读

第3章 逻辑和定理证明

  • 语法:规定如何写合法/良序的公式
  • 语义:规定每个公式的明确含义

3.1 一阶逻辑

first order loigc

  • domain
  • codomain

  • first order: 公式中所有变元的值域为一常量domain

  • second order: 变元可为简单变元或集合变元

集合变元x:x的取值可以是对象的集合

3.2 项(term)

signature G=(V,F,R)

  • 集合V,F,R两两不相交
  • V:变元集合
  • F:函数集合
  • R:关系集合

arity(元数):参数的个数。 加法函数add()的元数为2,
sine()函数的元数为1

项:函数和变元所构造的表达式。
例如,令v1为一变元,zero和one为常量,add为二元函数符号,
则add(one,one)和add(add(one,one),v1)为项

BNF
term:=var|const|func(term,...terms)

  • var: 变元
  • func:函数
  • const:常量

论域D: 一个值的集合

结构S=(G,D,F,R,f)

  • G=(V,F,R): signature
  • D: 论域
  • F:函数集合
  • R:关系集合
  • 映射fFRFR:

Examples:

  • 符号sub: 可由f映射到整数域的减法
  • +:+本身只是一个语法对象,通过f映射赋予加法含义

3.2.1 赋值和解释

assignment: 将变元集合V中变元映射到论域D中值,记作: α:VD

Examples:
设D为整数集,变元集合V={v1,v2,v3};可设一赋值为α={v13,v20,v35}

  • term(G): signature G上所有项。
  • Tα:term(G))D: 语义解释(semantic interpretation),将每个项映射为论域中值。

递归定义:

{Tα(v)=α(v),vVTα(func(e1,,en))=f(func)(Tα(e1),,Tα(en))

Example:

整数域和赋值α={v12,v23,v34}
令f将add映射到整数上的加法:

Tα(v1)=Tα(v2)=Tα(v3)=Tα(add(v1,v2))=α(v1)=α(v2)=α(v3)=f(add)(Tα(v1),Tα(v1))234=2+3=5

3.2.2 多个论域上的结构

3.3 一阶公式

简单公式:
simpform::=rel(term,term,...,term)|termterm

  • rel: 关系符号
  • : 等于

量词(quantifier):

一阶公式的语义解释:

变体(variant): 令a为赋值,v为变元,d为给定论域D中一值。
变体a[d/v]表示:

the semantic of quantified formulas is defined as follows:

3.4 命题逻辑

3.5 证明一阶逻辑公式

??

When $$ for every strucuture $\Gamma \models^{S} \varphi $, we say $\varphi$ follow from $\Gamma$,
and write $\Gamma \models \varphi$.

a proof system

  • a set of axioms
    • every axiom is a equation template
  • proof rules
    • includes premise and consequent

3.5.1 正向推理

3.5.2 反向推理

3.6 证明系统的属性

Fermat’s conjecture:

3.6.1 正确性

正确性(soundness)的含义是:该系统只能被用来证明正确的事实。也就是说,如果Γφ,那么一定有Γφ

3.6.2 完备性

完备性(completeness)的含义是:如果Γφ,那么一定有Γφ

3.6.3 可判定性

一阶逻辑是半可判定的(semi-decidable):没有算法能够检验Γφ是否成立,
但存在一算法,当时Γφ成立时,可构造出Γφ的证明

3.6.4 结构完备性

  • Presburger Arithmetic
  • 皮亚诺算术(Peano Arithmetic)

3.7 证明命题逻辑属性

可满足性问题(satisfiability problem): 检查是否存在赋值以满足一个给定命题逻辑公式的问题

3.8 一个实用的证明系统

PVS system

type system

3.9 证明示例

3.10 机器辅助证明

机械化定理证明器(mechanized theorem prover)

3.11 机械化定理证明器

3.12 扩展阅读

第4章 软件系统建模

the aim of modeling is to reduce the checked system.

4.1 顺序系统、并发系统及反应式系统

  • sequential system

  • concurrent system

  • reactive system

Example:(distributed systems): a specification of airline
reservation system.

  • autonomous
  • coordinate

non-determinism:

the following are some of the topics one may consider when modeling software system.

  • Representing system
  • Granularity
  • The execution model
  • Global and local state

4.2 状态

  • initial states
  • final states

4.3 状态空间

transition system

  • interleaving model

Question:
In reality, transitions among different processes maybe overlapped
in time. How does the interleaving model to deal with it?

  • communtative

交换代数么?

4.4 转换系统

Formally, a transition system (S,T,) is defined as follows:

  • A first order structure S

  • An execution of a system is a sequence of states.

A nondetermined scheduler

  • fairness

4.5 转换的粒度

4.6 为程序建模的例子

4.6.1 整数除法

4.6.2 计算组合数

4.6.3 Eratosthenes筛法

4.6.4 互斥

4.7 非确定性转换

4.8 将命题变量赋给状态

4.9 合并状态空间

4.10 线性视角

LTL

4.11 分支视角

CTL

  • linear view vs. branching view
    • closed system
    • open system

4.12 公平性

fairness: refer to semantic constraints imposed on interleaved
executions of concurrent systems.

fairness assumption: to rule out infinite executions that
are unreasonable for architecture of systems.

  • weak process fairness
  • strong
  • weak transition fairness
  • strong

To demonstrate this, and some of the above fairness conditions,
consider a program with two processors P1 and P2.

  • Question: how to select a certain fairness?

4.13 偏序视角

4.13.1 一个银行系统的例子

the criticism of the interleaving model:

  • not distinguish between nondeterministic choice and concurrency
  • need the global states of the entire system.

to relate the partial order execution model to concurrent software,
observe that concurrent programs usually have a number of
components, each having its own local state space.

For example, we may have a separate component for each

  • processor Pi (including the set of variables that can be used or changed only by Pi)
  • global variables, or
  • message queue

4.13.2 线性化和全局状态

the linearization of partial order

4.13.3 一个简单的例子

4.13.4 偏序模型的应用

4.14 形式化建模

  • CCS, LOTOS
  • promela

4.15 一个项目的建模

4.16 扩展阅读

第5章 形式化规约

验证与规约:

  • 相关联
  • 相制约

形式化规约 -> formal specification can be used as a contract
between client and developers.

5.1 规约机制的属性

A specification needs to be precise and has a unique and agreed upon
interpretation. Therefore, a specification formalization is required to have
a well-defined syntax and precise semantics.

Question: Does the system satisfy its specification?

  • effective: is there a way to check or verify that a system is consistent with its sepcification?
  • expressiveness:

trade off: effective vs. expressiveness -> no sliver bullet

  • linear temporal logic
  • automata

5.2 线性时序逻辑

modal logic

the syntax of LTL:

the semantic of LTL:

the modal operator:

  • nexttime
  • eventually
  • always
  • until
  • release

5.3 公理化LTL

the axiomatization includes three parts
- the first part consists of eight axioms:

  • the second part consists of a sound and complete axiomatization for propositional logic.

  • the proof system also includes the proof rule:

5.4 LTL规约示例

?

5.4.1 交通灯

5.4.2 顺序程序的属性

5.4.3 互斥

5.4.4 公平性条件

  • Weak transition fairness
  • Strong

5.5 无限字上的自动机

ω automata: finite automata over infinite words.

ω regular language:

Bu¨chi automata:

?

5.6 使用Büchi自动机作为规约

büchi自动机 wiki

5.7 确定性Büchi自动机

5.8 其他规约机制

5.9 复杂的规约

5.10 规约的完整性

5.11 扩展阅读

  • automata of infinite objects

第6章 自动验证

Model checking: the algorithmic verification of programs against temporal logic specification.

  • DFS
  • BFS

6.1 状态空间搜索

  • It is important to represent each state with enough information
    that will allow us to calculate the successors with respect to
    the enabled transitions.
  • It is also important to be able to distiguish each state from other, different states.

6.2 状态表示方法

a typical state representation:

6.3 自动机结构体系

Buchi automata

the question in the next section: Buchi automata are closed
under intersection, union and complementation.

6.4 合并Büchi自动机

An important property for a specification formalism is its closure
under the Boolean operators and, or and not.

6.4.1 广义Büchi自动机

6.4.2 将广义Büchi自动机转换为简单Büchi自动机

6.5 Büchi自动机求补

6.6 检验空集

6.7 模型检验范例

6.8 将LTL转换为自动机

question: how to translate LTL into generalized Buchi automata

6.9 模型检验的复杂度

6.10 表示公平性

6.11 检验LTL规约

6.12 安全属性

safety property

6.13 状态空间爆炸问题

  • Binary Decision Diagram
  • Partial Order Reduction
  • Symmetry

6.14 模型检验的优点

6.15 模型检验的缺点

6.16 选择自动验证工具

6.17 模型检验项目

6.18 模型检验工具

6.19 扩展阅读

第7章 演绎式软件验证

7.1 流程图程序的验证

Floyd

a flowchart has four kinds of nodes (see Figure 7.1)

  • An oval
  • An oval
  • A parallelogram
  • A rhombus

  • initial condition
  • final assertion
  • precondition
  • postcondition

partial correctness: {φ}P{ψ}

  • φ
  • P
  • ψ

total correctness:

7.2 含数组变量的验证

7.2.1 含数组变量赋值的问题
7.2.2 修改证明系统

7.3 完全正确性

prrtially ordered domain:

example:

  • 整数集 大于关系 >

well founded domain: a partially ordered domain that
contains no infinite decreasing sequence, i.e.,
no sequence of the form w0>w1>>wn>

7.4 公理式程序验证

Hoare Axiom

7.4.1 赋值公理

It takes the postcondition , describing states after the
execution of the assignment , and translates it to the
corresponding precondition, stated in terms of the
variables before the assignment。

{φ[e/v]}v:=e{ψ}

7.4.2 空语句公理

7.4.3 左强化规则

7.4.4 右弱化规则

7.4.5 顺序组合规则

7.4.6 if-then-else规则

7.4.7 while规则

7.4.8 begin-end规则

7.4.9 示例:整数除法

7.5 并发程序的验证

7.6 演绎验证的优点

7.7 演绎验证的缺点

7.8 证明系统的正确性和完备性

7.9 组合性

7.10 演绎验证工具

7.11 扩展阅读

第8章 进程代数与等价关系

process algebras are formalisms for modelling the behavior of systems.

nondeterministic choice

Since process algebra usually deals with the issues of comparing
different systems, choosing right corresponding criteria
between system is of great importance.

  • Minlner
  • Hoare
  • Park

8.1 进程代数

agent: an abstract description of a system.

the main research contents of process algebra:

  • define agent: how its evolve
  • define various operators
  • define the interaction among operators

another important ingredient of process algebra: a collection of comparsion criteria,
i.e., equivalence relations between agents.

In process algebra, there is usually no explicit notation of a state as
a mapping from variables to values.

process algebra is focus on the the actions of a system,
rather than its states.

  • co-action: a¯¯
  • invisible(silent,internal)

  • event: E1αE2

    • enabled
    • lead to:
  • Graph vs configuration

  • extended event:E1αE2

  • diverge:

8.2 通信系统的演算

CCS

the agents can be defined in BNF as follows:

8.2.1 动作前缀

α.EαE

8.2.2 选择

EαEE+FαE

FαFE+FαF

8.2.3 并发组合

8.2.4 限制符

EαE,α,α¯RERαER

8.2.5 重标记

8.2.6 等式定义

how the event α||Aβα||(α||A) is derived from the the axiom and rules.

8.2.7 agent 0

Figure 8.3 describes the graph of agent α.(β.(δ||δ¯)+γ).

8.2.8 传值agent

example: buy(x).(insure¯¯¯¯¯¯¯¯¯¯(x).(drive¯¯¯¯¯¯¯¯(x)))

8.3 示例:Dekker算法

8.4 建模问题

8.5 agent之间的等价性

the hierarchy (a partial order) of different equvalence

8.5.1 迹等价

trace: a finite sequence of actions executed by a given agent.

T(E): the set of all the traces that can be performed from an agent E.

8.5.2 失败等价

a failure of an agent E:

Let Fail(E) be the set of failures of agent E. If Fail(E) = Fail(F),
say that E and F are failure equivalent.

8.5.3 模拟等价

8.5.4 互模拟和弱互模拟等价

8.6 等价关系的层级

Figure 8.10 depicts the hierarchy of equvalences.

8.7 用进程代数研究并发

8.8 计算互模拟等价

检查agent E和F之间互摸拟等价的经典算法:

  • start by constructing the state space <S,Δ>
    • where S is the finite set of agents that can be evolved from either E or F (thus E,FS).
    • Δ is the transition relations between agents, i.e., ΔS×(Act{τ})×S
  • The algorithm repeatly partitions the states of S into the disjoint subsets

the partition algorithm is as follows:

8.9 LOTOS

Language of Temporal Ordering Specification.

In Lotos, agents are called processes, a process is defined as follows:


    process process_name [action_list] :=
        behavior_expression
    end proc

differ from CCS, Lotos does not contains co-action.

LOTOS provides three kinds methods to merge concurrent processes:

  • Full synchronization
  • Pure interleaving
  • Selective synchronization

  • enabling operator

  • disruption operator
  • hide

8.10 进程代数工具

8.11 扩展阅读

第9章 软件测试

the levels of tesing:

  • unit testing
  • integration
  • system
  • acceptance
  • regression

  • white box

  • black box

9.1 审查和走查

9.2 控制流覆盖准则

9.2.1 语句覆盖

9.2.2 边覆盖

9.2.3 条件覆盖

9.2.4 边/条件覆盖

9.2.5 条件组合覆盖

9.2.6 路径覆盖

9.2.7 不同覆盖准则的比较

9.2.8 循环覆盖

9.3 数据流覆盖准则

the hierarchy of dataflow coverage criteria

9.4 传播路径条件

9.4.1 示例:GCD程序

9.4.2 含有输入语句的路径

9.5 等价类划分

9.6 待测代码预处理

9.7 检查测试套件

9.8 组合性

9.9 黑盒测试

9.10 概率测试

markov chain

9.11 测试的优点

9.12 测试的缺点

9.13 测试工具

9.14 扩展阅读

第10章 组合形式化方法

  • automatic verification: state explosion
  • theorem proving: slow and require human skills

10.1 抽象

two verification tasks:

  • Proving the essential properties are preserved between
    the original system and its simple version.
  • Proving the correctness of the simplified version.

abstract: reduce a system of infitine state to a finite state one.

  • fail to find a appropriate abstraction
  • or fail to formally prove the correspondence between
    the original system and its abstract version.

Consider a concrete transition system P (its structure will be given later)
whose state space is AP={S,}

two simultion relations:

  • a forward simulation
  • a backward simulation

The forward simulation relation R must satisfy the following conditions

  • For each initial state

10.2 组合测试与模型检验

10.2.1 直接检验

10.2.2 黑盒系统

10.2.3 组合锁自动机

combination lock automata

Figure 10.4 gives a combination lock automata for n =5.

10.2.4 黑盒死锁检测

10.2.5 一致性测试

Calculating distinguishing sequence

distiguishing set: ds(C)={dist(s,r)|sCrC}

10.2.6 检验重置的可靠性

10.2.7 黑盒检验

10.3 净室方法

cleanroom method

Reference: 《零缺陷程序设计》

10.3.1 验证
10.3.2 证明审查
10.3.3 测试

10.4 扩展阅读

第11章 可视化

UML

SCADE Suite建模语言为 SSM(Graphical Esterel) + Lustre

11.1 在形式化方法中运用可视化

  • automata
  • flowchart

11.2 消息序列图

Message Sequence Chart(MSC)

  • UML user case
  • communication protocol

the goal of MSC: to describe scenario involving processes communication.

It can be used to denote the communication structure of typical or exceptional executions of a system,
or a counterexample found during testing or model checking.

Figure 11.1 and 11.2 show corresponding graphical and
textual representation of an MSC.
MSC examples

the corresponding code

tools:
- an analyzer for message sequence charts

MSC semantics: partically ordered set of events (偏序集)

The sematics of an MSC dependes on the architectural parameters;
it can differ between architectures with fifo (first-in, first out) or
non-fifo queues, or between architectures with one or
multiple incoming message queues.

Each MSC corresponds to a graph (S,<), its semantic interpretation
that assumes that for a pair of MSC events p,qS,
p<q means p precedes q:

  • Causality: A send p and its corresponding receive q
  • Controlability: the event p appears above q on the same process line,
    and q is send event.
  • FIFO order: The receive event p appears above the receive events q on the same process line,
    and the corresponding send events p’, q’ appear on a mutal process line,
    where p’ is above q’.

Notices: Controlability

the figure 11.1 describes an interaction between three processes,
P1,P2 and P3.
an interaction among processes

verification algorithms for MSC:

  • race condition

Race: a pair of MSC events p,q such that

  • p and q appear on the same process line
  • p appear above q, and
  • there is no path from p to q in the graph (S,<)

HMSC(Highlevel Message Sequence Chart)

the specification of MSC is a template, denoting a set of events
(sending and receiving of message) and their relative order;

An example of a template and a matching MSC scenario appears in
Figure 11.5. In both charts, there are three processor, P1, P2 and P3.
The result of this match is that s2 is paired with σ1,
r2 with ρ1, s1 with σ3, and r1 with ρ3.

11.3 可视化流程图和状态机

flowchart visualize

Figure 11.6 represents the flowchart of the process mutex()
form the following attempt at solving the mutual exclusion:

11.4 层次状态图

limitations

  • State graphs are flat
  • State graphs represent a global view of the modeled system
  • Due to the flat structure and global view, the state space is usually enormous
  • The simplistic structure of graphs may introduce unnecessary redundancy

hierarchical state graphs -> STATECHART

11.4.1 层次化状态

  • A state can cluster together a subgraph

In Figure 11.7, the state C contains a subgraph which consists of
the states A and B.

subgraph

11.4.2 统一的出口和入口

A transition from a superstate replaces a transition from
any of the substate that are included within it.

in Figure 11.8,

superstate

11.4.3 并发

A superstate can contains several concurrent components

In Figure 11.9, superstate S incliudes two concurrent components,
C and F

concurrent substate

11.4.4 输入和输出

STATECHARTS are intended especially for specifying reactive system.

  • en(T)
  • ex(T)
  • in(T)

11.5 程序文本的可视化

11.6 Petri网

  • place
  • transition: bar

  • -

11.7 可视化工具

11.8 扩展阅读

结束语

参考文献

©️2020 CSDN 皮肤主题: 大白 设计师: CSDN官方博客 返回首页
实付0元
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、C币套餐、付费专栏及课程。

余额充值