Software Profiling for Designing Dependable Software

Transcription

Software Profiling for
Designing Dependable Software
Martin Hiller
Volvo Technology Corporation, Sweden
Technische Universität Darmstadt, Germany
Arshad Jhumka, Neeraj Suri
Technische Universität Darmstadt, Germany
Overall Objectives
For black-box software, reliability can be
provided/increased by adding mechanisms
that detect and correct data errors.
A
C
E
B
D
F
€1,000,000-question:
Given a software system and limited resources – where should
mechanisms be placed?
Z Systematic placement of EDM’s and ERM’s
(EDM = Error Detection Mechanism, ERM = Error Recovery Mechanism)
Martin Hiller, Volvo Technology Corporation
SMC-IT 2003 (July 14, 2003)
Placing Software Mechanisms
Fault/Error
Model
Type,
Occurrence
Dependability
Structures/
Mechanisms
Software
Software
Profiles
Profiles
Implementation Vulnerabilities,
Hot-Spots
Details
Vulnerabilities
,
Vulnerabilities,
Hot
-Spots
Equipping Software With EDM’s
/ ERM’s
SMC-IT 2003 (July 14, 2003)
Motivation for Software Profiling
A
C
A
C
E
B
E
D
B
F
D
F
!
!
Obtain profiles of the
software system to
select locations.
A
C
E
B
D
F
SMC-IT 2003 (July 14, 2003)
Increasingly bad
Profiling Modular Software
Software profiling w.r.t.
Propagation WHERE does an error GO when it appears?
A
C
E
B
D
F
Effect
WHAT does an error DO when it appears?
A
C
E
B
D
F
SMC-IT 2003 (July 14, 2003)
Error Permeability – Letting Errors Pass
ninj
Input 1
Input 2
Estimated error permeability:
M
Input i
.
.
.
Input m
.
.
.
Output 1
Output 2
Output k
Output n
nerr
M
i ,k
P
n err
=
n inj
A total of m·n values for Module M
Analytical error permeability:
M
i ,k
0 ≤ P = Pr{error in output k | error in input i} ≤ 1
SMC-IT 2003 (July 14, 2003)
SW Profiling: Propagation Analysis
M
Module Error Permeability
To what degree does a module let errors ”pass through”
High value Î error containment should be increased
M
Module Error Exposure
To what degree is a module ”exposed” to propagating errors
High value Î error shielding should be high
M
Signal Error Exposure
To what degree is a signal ”exposed” to propagating errors
High value Î error shielding should be high
SMC-IT 2003 (July 14, 2003)
Example: Aircraft Arrestment System
Tape drum
(original)
Cable Tape drum
(mirror)
ms_slot_nbr
i
mscnt
pulscnt
slow_speed
stopped
CLOCK
PACNT
TIC1
TCNT
Rotation Pressure Pressure
sensor
sensor
valve
CALC
DIST_S
Pressure
valve
SetValue
ADC
PRES_S
V_REG
OutValue
PRES_A
IsValue
Computer
Target system overview
SMC-IT 2003 (July 14, 2003)
Target software overview
TOC2
Estimated Module Permeabilities
ms_slot_nbr
i
mscnt
CLOCK
pulscnt
slow_speed
PACNT
TIC1
TCNT
Highest Permeability
CALC
stopped
Zero Permeability
DIST_S
SetValue
ADC
OutValue
PRES_S
V_REG
PRES_A
TOC2
IsValue
We obtained zero permeability for errors in PRES_S (DSN 2001)
SMC-IT 2003 (July 14, 2003)
Estimated Module Error Exposures
ms_slot_nbr
i
mscnt
CLOCK
pulscnt
slow_speed
PACNT
TIC1
TCNT
Highest Exposure
CALC
stopped
Zero Exposure
DIST_S
No Exposure
Assigned
SetValue
ADC
OutValue
PRES_S
V_REG
PRES_A
IsValue
Indicates good candidates for EDM’s and ERM’s
SMC-IT 2003 (July 14, 2003)
TOC2
Estimated Signal Error Exposures
ms_slot_nbr
i
mscnt
CLOCK
pulscnt
slow_speed
PACNT
TIC1
TCNT
Highest Exposure
CALC
Lowest Exposure
stopped
Zero Exposure
DIST_S
SetValue
ADC
OutValue
PRES_S
V_REG
IsValue
SMC-IT 2003 (July 14, 2003)
PRES_A
TOC2
SW Profiling: Effect Analysis
Taking care of the what if ’s
S
Signal Impact (of S on O )
A
C
E
B
D
F
O
To what degree does an error in S affect output O
High value Î error recovery should be increased
Signal Criticality (of S)
”Cost” of an error in S as seen from system boundary
Multiple outputs: bias impact by output ”importance”
Single output: Constant scaling
SMC-IT 2003 (July 14, 2003)
Module Impact & Criticality
Module Impact (of M)
A
C
E
B
D
F
O
To what degree does an error in the output of M affect
system output
Module Criticality (of M)
”Cost” of an error in the output of M as seen from
system boundary
SMC-IT 2003 (July 14, 2003)
Exposure v/s Impact
Zero Min
Max
CLOCK
CLOCK
CALC
CALC
DIST_S
DIST_S
PRES_S
V_REG
PRES_A
Exposure
(Propagation Profile)
SMC-IT 2003 (July 14, 2003)
PRES_S
V_REG
Impact
(Effect Profile)
PRES_A
Time?
• Example
• Conclusions
SMC-IT 2003 (July 14, 2003)
Placing Software Mechanisms
Fault/Error
Models
Dependability
Structure/
Mechanisms
1. System
Type, input
2.Occurrence
Random
memory
locations
Executable
Implementation
Assertions (EA’s)
Details
for continuous and
discrete signals
Software
Profiles
Vulnerabilities,
Hot-Spots
Equipping Software With EDM’s / ERM’s
SMC-IT 2003 (July 14, 2003)
EA Placement
(based on the Propagation Profile)
ms_slot_nbr
i
mscnt
CLOCK
pulscnt
slow_speed
PACNT
TIC1
TCNT
CALC
stopped
DIST_S
SetValue
ADC
OutValue
PRES_S
V_REG
IsValue
SMC-IT 2003 (July 14, 2003)
TOC2
PRES_A
Assumptions and design information:
1. Errors are introduced via system inputs
2. Executable Assertions (not aimed at boolean values)
3. Black-box software
EA Placement
(based on the Propagation and Effect profiles)
ms_slot_nbr
i
mscnt
CLOCK
pulscnt
slow_speed
PACNT
TIC1
TCNT
CALC
stopped
DIST_S
SetValue
ADC
OutValue
PRES_S
V_REG
IsValue
SMC-IT 2003 (July 14, 2003)
TOC2
PRES_A
Assumptions and design information:
1. Errors are introduced anywhere in memory
2. Executable Assertions (not aimed at boolean values)
3. Black-box software
Two Sets of EA’s
ms_slot_nbr
i
pulscnt
slow_speed
PACNT
TCNT
P (Propagation)
mscnt
CLOCK
TIC1
P&E (Propagation and Effect)
CALC
stopped
DIST_S
SetValue
ADC
OutValue
PRES_S
V_REG
IsValue
SMC-IT 2003 (July 14, 2003)
TOC2
PRES_A
Evaluation With Two Error Models
ms_slot_nbr
i
mscnt
CLOCK
pulscnt
slow_speed
PACNT
TIC1
TCNT
Error Model 2:
Type = Single bit errors
Occurrence = periodically (20
ms) in system memory
CALC
stopped
DIST_S
SetValue
ADC
Error Model 1:
Type = Single bit errors
Occurrence = once in a system
input signal
SMC-IT 2003 (July 14, 2003)
OutValue
PRES_S
V_REG
IsValue
PRES_A
TOC2
Detection Coverage - Error Model 1
Comparison of Error Detection Coverage
(Error Model 1: Single bit-flips in system input signals)
1.000
0.975
0.975
0.900
0.800
P&E
Coverage
0.700
P
0.600
0.500
0.400
0.300
0.200
0.100
0.000
0.000
PACNT
SMC-IT 2003 (July 14, 2003)
0.000
TIC1
0.000
0.000
TCNT
0.000
0.000
ADC
Detection Coverage - Error Model 2
Comparison of Error Detection Coverage
(Error Model 2: Periodic bit-flips in memory)
RAM
Stack
Total
1.000
0.900
0.811
0.800
0.700
Coverage
P&E
P
0.600
0.500
0.418
0.394
0.400
0.300
0.253
0.200
0.128
0.100
0.137
0.111
0.056
0.106
0.038
0.042
0.018
0.031
0.029 0.017
0.092
0.046
0.033
0.000
c tot
c fail
SMC-IT 2003 (July 14, 2003)
c nofail
c tot
c fail
c nofail
c tot
c fail
c nofail
Conclusions
• Method for software profiling
– Error propagation profile: pinpoint vulnerable signals/modules and ascertain
propagation paths (Exposure, Permeability)
– Error effect profile: pinpoint signals/modules that endanger the system when
erroneous (Impact, Criticality)
• Error model and detection coverage
– Depending on the assumed error model, different SW profiles may have to be
used
– The error model as well as the available dependability structures/mechanisms play
a major role in the obtained dependability of the system (of course).
Z Design aid to conduct cost-benefit
analysis for selective placement
SMC-IT 2003 (July 14, 2003)
Some Future Directions
• Alternate means of estimating error permeability
(dynamically or statically)
• Sensitivity of estimated measures to error model
• Handling looping structures amongst modules
• Investigate applicability of profiling framework on
other applications (and application areas)
SMC-IT 2003 (July 14, 2003)
Further Information
Go to the DEEDS web site
www.deeds.informatik.tu-darmstadt.de
or email to
martin.hiller@volvo.com
SMC-IT 2003 (July 14, 2003)

Software Profiling for Designing Dependable Software

Transcription

Similar documents

safety, fuel efficiency, driver ergonomics are key for

Dependability Services in the EASIS Software Platform

Martins Office Furniture December 2005

Golf Thank You

Early American Life

did you know? - Brownsburg Community School Corporation

Leap of Faith Leads to New Careers

inmarsat

decanter centrifuges

DMRC and PUBLIC HEALTH - Diego Martin Regional Corporation

Broszura Skeiron Boats

Compassion