软件容错性.docx

软件容错性.docx

《软件容错性.docx》由会员分享，可在线阅读，更多相关《软件容错性.docx（15页珍藏版）》请在冰豆网上搜索。

软件容错性

Abstract—Thispaperpresentsanddiscussestherationalebehindamethodforstructuringcomplexcomputingsystemsbytheuseofwhatweterm“recoveryblocks,”“conversations,”and“fault-tolerantinterfaces.”Theaimistofacilitatetheprovisionofdependableerrordetectionandrecoveryfacilitieswhichcancopewitherrorscausedbyresidualdesigninadequacies,particularlyinthesystemsoftware,ratherthanmerelytheoccasionalmalfunctioningofhardwarecomponents.

IndexTerms—Acceptancetest,alternateblock,checkpoint,conversation,errordetection,errorrecovery,recoveryblock,recursivecache.

Theconceptof“fault-tolerantcomputing”hasexistedforalongtime.Thefirstbookonthesubject[10]waspublishednolessthantenyearsago,butthenotionoffaulttolerancehasremainedalmostexclusivelythepreserveofthehardwaredesigner.Hardwarestructureshavebeendevelopedwhichcan“tolerate”faults,i.e.,continuetoprovidetherequiredfacilitiesdespiteoccasionalfailures,eithertransientorpermanent,ofinternalcomponentsandmodules.However,hardwarecomponentfailuresareonlyonesourceofunreliabilityincomputingsystems,decreasinginsignificanceascomponentreliabilityimproves,whilesoftwarefaultshavebecomeincreasinglyprevalentwiththesteadilyincreasingsizeandcomplexityofsoftwaresystems.

Ingeneral,fault-toleranthardwaredesignsareexpectedtobecorrect,i.e.,thetoleranceappliestocomponentfailuresratherthandesigninadequacies,althoughthedividinglinebetweenthetwomayonoccasionbedifficulttodefine.Butallsoftwarefaultsresultfromdesignerrors.Therelativefrequencyofsucherrorsreflectsthemuchgreaterlogicalcomplexityofthetypicalsoftwaredesigncomparedtothatofatypicalhardwaredesign.Thedifferenceincomplexityarisesfromthefactthatthe“machines”thathardwaredesignersproducehavearelativelysmallnumberofdistinctiveinternalstates,whereasthedesignerofevenasmallsoftwaresystemhas,bycomparison,anenormousnumberofdifferentstatestoconsider—thusonecanusuallyaffordtotreathardwaredesignsasbeing“correct,”butoftencannotdothesamewithsoftwareevenafterextensivevalidationefforts.（Thedifferenceinscaleisevidencedbythefactthatasoftwaresimulatorofacomputer,writtenatthelevelofdetailrequiredbythehardwaredesignerstoanalyzeandvalidatetheirlogicaldesign,isusuallyoneormoreordersofmagnitudesmallerthantheoperatingsystemsuppliedwiththatcomputer.）

Ifalldesigninadequaciescouldbeavoidedorremovedthiswouldsufficetoachievesoftwarereliability.（Wehereusetheterm“design”toinclude“implementation,”whichisactuallymerelylow-leveldesign,concerningitselfwithdetaileddesigndecisionswhosecorrectnessneverthelesscanbeasvitaltothecorrectfunctioningofthesoftwareasthatofanyhigh-leveldesigndecision.）Indeedmanywritersequatetheterms“softwarereliability”and“programcorrectness.”However,untilreliablecorrectnessproofs（relativetosomecorrectandadequatelydetailedspecification）,whichcoverevenimplementationdetails,canbegivenforsystemsofarealisticsize,theonlyalternativemeansofincreasingsoftwarereliabilityistoincorporateprovisionsforsoftwarefaulttolerance.

Infactthereexistsophisticatedcomputingsystems,designedforenvironmentsrequiringnear-continuousservice,whichcontainadhocchecksandcheckpointingfacilitiesthatprovideameasureoftoleranceagainstsomesoftwareerrorsaswellashardwarefailures[11].Theyincidentallydemonstratethefactthatfaulttolerancedoesnotnecessarilyrequirediagnosingthecauseofthefault,orevendecidingwhetheritarisesfromthehardwareorthesoftware.Howevertherehasbeencomparativelylittlespecificresearchintotechniquesforachievingsoftwarefaulttolerance,andtheconstraintstheyimposeoncomputingsystemdesign.

ItwasconsiderationssuchasthesethatledtotheestablishmentattheUniversityofNewcastleuponTyneofaprojectonthedesignofhighlyreliablecomputingsystems,underthesponsorshipoftheScienceResearchCounciloftheUnitedKingdom.Theaimsoftheprojectwereandare“todevelop,andgivearealisticdemonstrationoftheutilityof,computerarchitectureandprogrammingtechniqueswhichwillenableasystemtohaveaveryhighprobabilityofcontinuingtogiveatrustworthyserviceinthepresenceofhardwarefaultsand/orsoftwareerrors,andduringtheirrepair.Amajoraimwillbetodeveloptechniqueswhichareofgeneralutility,ratherthanlimitedtospecialisedenvironments,andtoexplorepossibletradeoffsbetweenreliabilityandperformance.”Amodestnumberofreportsandpapershaveemanatedfromtheprojecttodate,includingageneraloverview[12],papersconcernedwithaddressingandprotection[6],[7],andapreliminaryaccountofourworkonerrordetectionandrecovery[5].Thepresentpaperendeavors

toprovidearathermoreextensivediscussionofourworkonsystemerrorrecoverytechniques,andconcentratesontechniquesforsystemstructuringwhichfacilitatesoftwarefaulttolerance.Acompanionpaper[1]presentsaproof-guidedmethodologyfordesigningtheerrordetectionroutinesthatourmethodrequires.

Allfaulttolerancemustbebasedontheprovisionofusefulredundancy,bothforerrordetectionanderrorrecovery.Insoftwaretheredundancyrequiredisnotsimplereplicationofprogramsbutredundancyofdesign.

Theschemeforfacilitatingsoftwarefaulttolerancethatwehavedevelopedcanberegardedasanalogoustowhathardwaredesignersterm“stand-bysparing.”Asthesystemoperates,checksaremadeontheacceptabilityoftheresultsgeneratedbyeachcomponent.Shouldoneofthesechecksfail,asparecomponentisswitchedintotaketheplaceoftheerroneouscomponent.Thesparecomponentis,ofcourse,notmerelyacopyofthemaincomponent.Ratheritisofindependentdesign,sothattherecanbehopethatitcancopewiththecircumstancesthatcausedthemaincomponenttofail.（Thesecircumstanceswillcomprisethedatathecomponentisprovidedwithand,inthecaseoferrorsduetofaultyprocesssynchronization,thetimingandformofitsinteractionswithotherprocesses.）

Incontrasttothenormalhardwarestand-bysparingscheme,thesparesoftwarecomponentisinvokedtocopewithmerelytheparticularsetofcircumstancesthatresultedinthefailureofthemaincomponent.Weassumethefailureofthiscomponenttobeduetoresidualdesigninadequacies,andhencethatsuchfailuresoccuronlyinexceptionalcircumstances.Thenumberofdifferentsetsofcircumstancesthatcanariseevenwithasoftwarecomponentofcomparativelymodestsizeisimmense.Thereforethesystemcanreverttotheuseofthemaincomponentforsubsequentoperations—inhardwarethiswouldnotnormallybedoneuntilthemaincomponenthadbeenrepaired.Thevarietyofundetectederrorswhichcouldhavebeenmadeinthedesignofanontrivialsoftwarecomponentisessentiallyinfinite.Duetothecomplexityofthecomponent,therelationshipbetweenanysucherroranditseffectatruntimemaybeveryobscure.Forthesereasonswebelievethatdiagnosisoftheoriginalcauseofsoftwareerrorsshouldbelefttohumanstodo,andshouldbedoneincomparativeleisure.Thereforeourschemeforsoftwarefaulttoleranceinnowaydependsonautomateddiagnosisofthecauseoftheerror—thiswouldsurelyresultonlyingreatlyincreasingthecomplexityandthereforetheerrorpronenessofthesystem.

Therecoveryblockschemeforachievingsoftwarefaulttolerancebymeansofstand-bysparinghastwoimportantcharacteristics.

1）Itincorporatesageneralsolutiontotheproblemofswitchingtotheuseofthesparecomponent,i.e.,ofrepairinganydamagedonebytheerroneousmaincomponent,andoftransferringcontroltotheappropriatesparecomponent.

2）Itprovidesamethodofexplicitlystructuringthesoftwaresystemwhichhastheeffectofensuringthattheextrasoftwareinvolvedinerrordetectionandinthesparecomponentsdoesnotaddtothecomplexityofthesystem,andsoreduceratherthanincreaseoverallsystemreliability.

Althoughthebasicrecoveryblockschemehasalreadybeendescribedelsewhere[5],itisconvenienttoincludeabriefaccountofithere.Wewillthendescribeseveralextensionstotheschemedirectedatmorecomplicatedsituationsthanthebasicschemewasintendedfor.Thuswestartbyconsideringtheproblemsoffaulttolerance,i.e.,oferrordetectionandrecovery,withinasinglesequentialprocessinwhichassignmentstostoredvariablesprovidetheonlymeansofmakingrecognizableprogress.Considerationsoftheproblemsofcommunicationwithotherprocesses,eitherwithinthecomputingsystem（e.g.,byasystemofpassingmessages,ortheuseofsharedstorage）orbeyondthecomputingsystem（e.g.,byexplicitinput-outputstatements）isdeferreduntilalatersection.

Theprogressofaprogramisbyitsexecutionofsequencesofthebasicoperationsofthecomputer.Clearly,errorcheckingforeachbasicoperationisoutofthequestion.Apartfromquestionsofexpense,absenceofanawarenessofthewiderscenewouldmakeitdifficulttoformulatethechecks.Wemustaimatachievingatolerablequantityofcheckingandexploitourknowledgeofthefunctionalstructureofthesystemtodistributethesecheckstobestadvantage.Itisstandardpracticetostructurethetextofaprogramofanysignificantcomplexityintoasetofblocks（bywhichtermweincludemodule,procedure,subroutine,paragraph,etc.）inordertosimplifythetaskofunderstandinganddocumentingtheprogram.Suchastructureallowsonetoprovi