WO2020221097A1 - Finite-state machine-based method and device for operating system requirement layer formal modeling - Google Patents

Finite-state machine-based method and device for operating system requirement layer formal modeling Download PDF

Info

Publication number
WO2020221097A1
WO2020221097A1 PCT/CN2020/086378 CN2020086378W WO2020221097A1 WO 2020221097 A1 WO2020221097 A1 WO 2020221097A1 CN 2020086378 W CN2020086378 W CN 2020086378W WO 2020221097 A1 WO2020221097 A1 WO 2020221097A1
Authority
WO
WIPO (PCT)
Prior art keywords
state
operating system
task
sub
changes
Prior art date
Application number
PCT/CN2020/086378
Other languages
French (fr)
Chinese (zh)
Inventor
乔磊
杨孟飞
刘波
杨桦
张锦坤
徐建
刘鸿瑾
Original Assignee
北京控制工程研究所
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京控制工程研究所 filed Critical 北京控制工程研究所
Publication of WO2020221097A1 publication Critical patent/WO2020221097A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F30/00Computer-aided design [CAD]
    • G06F30/20Design optimisation, verification or simulation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/48Program initiating; Program switching, e.g. by interrupt
    • G06F9/4806Task transfer initiation or dispatching
    • G06F9/4812Task transfer initiation or dispatching by interrupt, e.g. masked

Definitions

  • the invention relates to a method and device for formal modeling of the operating system demand layer based on a finite state machine, and belongs to the field of embedded operating systems.
  • the operating system is the first layer of software close to the hardware, the support and foundation for all high-level application software to run, and the most important software in a computer system. Any small error in the operating system may cause the entire system to crash. Therefore, the operating system should be a highly reliable and reliable software system, which is the basis for ensuring the reliable operation of all application software. In order to avoid errors, traditional software development methods use software testing methods to detect hidden dangers that may exist in the software.
  • Testing relies on testers to design test cases. After a large number of tests for a long time, the system is tested for errors. Reliability and credibility can only be enhanced by accumulating test time and test volume. However, software testing can only find problems and cannot ensure that the test cases cover all situations, so there is no guarantee that the system is free of problems.
  • Formal method is a general term for languages, technologies and tools used to explain, design and verify software and hardware systems based on strict mathematics.
  • Formal verification is one of the methods that use logical reasoning to ensure the correctness of computer programs. It is possible to verify whether a program meets the given specifications through formal program logic.
  • safety is the first element.
  • the operating system is the basic core of managing the aircraft system, which determines whether the hardware system can operate normally and whether the application software can complete the scheduled tasks. Therefore, the formal verification of the space operating system has great theoretical and practical significance.
  • the formal verification of the operating system is mainly aimed at the method of designing and verifying.
  • the control access model constructed lacks a detailed demand layer model and cannot complete the top-down verification from the demand layer.
  • the technical problem solved by the present invention is to overcome the shortcomings of the prior art, and provide a formal modeling method of the operating system requirement layer based on a finite state machine to ensure that the operating process of the operating system is accurately described, which is a formal verification for the next step Laying a foundation to find out whether there are potential errors earlier will help complete the formal verification of the entire operating system.
  • a formal modeling method of operating system requirement layer based on finite state machine including:
  • the operating system functional module database In response to a request to model the requirements layer of the operating system, from the operating system functional module database, obtain multiple functional modules corresponding to the operating system, at least two sub-states corresponding to each functional module, and the sub-states that caused each functional module to change At least one operation, wherein the operating system function module database stores the correspondence between the operating system, function modules, function module sub-states, and operations that cause the sub-state to change;
  • a formal model of the operating system demand layer based on the finite state machine is established.
  • the method for establishing the operating system function module database includes:
  • the corresponding relationship between the operating system, the function module, the function module sub-state and the operation that causes the sub-state to change is established to obtain the operating system function module database.
  • the multiple functional modules corresponding to the operating system include a task management module, an interrupt management module, and a time management module.
  • the sub-states of the task management module include three task states: running state, ready state, and suspended state; the sub-states of the interrupt management module include two states: control cycle interrupt and time slice interrupt ; The sub-states of the time management module include two states: cumulative counting time and task start point.
  • the at least one operation that causes the sub-state of each functional module to change includes:
  • Operations that cause the sub-state of the task management module to change include task suspension, task scheduling, task creation, task restart or task recovery;
  • the operations that cause the sub-state of the interrupt management module to change include opening or closing interrupts;
  • the operations that cause the sub-state of the time management module to change include cumulative counting or clearing.
  • the determining the system state of the operating system according to the sub-state of each of the functional sub-modules includes:
  • the time slice interrupt information includes the time slice interrupt switch state and the accumulated counted time t;
  • the system state of the operating system is determined according to the task list and time slice interrupt information.
  • the trigger event that causes the system state change includes:
  • the establishment of a formal model of the operating system demand layer based on the finite state machine includes:
  • the operating system After the operating system is initialized, it is in the initial state S0.
  • the operating system includes system tasks, N application tasks, and 1 idle task. N ⁇ 3. At this time, only idle tasks in the initial task list are in the running state, and other tasks are suspended In addition, the time slice interruption in the time slice interruption information is off, and the cumulative counting is not turned on;
  • the nth application task When the nth application task is running, and the time slice interruption occurs and the time t of the cumulative count is not the start point of the new task, the nth application task continues to run, the state of other tasks remains unchanged, and the system state remains in the state Sn;
  • the status of the nth application task changes from the running state to the suspended state, and the value of the n+1th application task
  • the state changes from the suspended state to the running state, and the system state changes from the state Sn to Sn+1;
  • the idle task state changes from the running state to the ready state, and the nth application task or the n+1th application task is suspended.
  • the starting state becomes the running state, and the system state changes from state M to Sn or Sn+1;
  • the status of the nth application task changes from running state to suspended state, the state of idle tasks changes from ready state to running state, and the system state changes from state Sn to state M;
  • the time slice is interrupted, and when the Nth application task ends early, the status of the Nth application task changes from running to suspended, the status of idle tasks changes from ready to running, and the system status changes from State SN transitions to state S0.
  • the operating system function module database further includes operating system global properties, and the method further includes:
  • the embodiment of the present invention also provides a formal modeling device of the operating system requirement layer based on the finite state machine, including:
  • the acquisition module is used to obtain multiple functional modules corresponding to the operating system, at least two sub-states corresponding to each functional module, and cause each functional module from the operating system functional module database in response to a request to model the operating system requirement layer At least one operation in which the sub-state changes, wherein the operating system function module database stores the correspondence between the operating system, the function module, the sub-state of the function module, and the operation that causes the sub-state to change;
  • the determining module is configured to determine the system state of the operating system according to the sub-state of each of the functional sub-modules, and determine the triggering event that causes the change of the system state according to the operation that causes the sub-state to change corresponding to each of the sub-modules;
  • the modeling module is used to establish a formal model of the operating system demand layer based on the finite state machine according to the determined system state and the trigger event that causes the system state change.
  • the method for establishing the operating system function module database includes:
  • the corresponding relationship between the operating system, the function module, the function module sub-state and the operation that causes the sub-state to change is established to obtain the operating system function module database.
  • the multiple functional modules corresponding to the operating system include a task management module, an interrupt management module, and a time management module.
  • the sub-states of the task management module include three task states: running state, ready state, and suspended state; the sub-states of the interrupt management module include two states: control cycle interrupt and time slice interrupt ; The sub-states of the time management module include two states: cumulative counting time and task start point.
  • the at least one operation that causes the sub-state of each functional module to change includes:
  • Operations that cause the sub-state of the task management module to change include task suspension, task scheduling, task creation, task restart or task recovery;
  • the operations that cause the sub-state of the interrupt management module to change include opening or closing interrupts;
  • the operations that cause the sub-state of the time management module to change include cumulative counting or clearing.
  • the determining the system state of the operating system according to the sub-state of each of the functional sub-modules includes:
  • the time slice interrupt information includes the time slice interrupt switch state and the accumulated counted time t;
  • the system state of the operating system is determined according to the task list and time slice interrupt information.
  • the trigger event that causes the system state change includes:
  • the establishment of a formal model of the operating system demand layer based on the finite state machine includes:
  • the operating system After the operating system is initialized, it is in the initial state S0.
  • the operating system includes system tasks, N application tasks, and 1 idle task. N ⁇ 3. At this time, only idle tasks in the initial task list are in the running state, and other tasks are suspended In addition, the time slice interruption in the time slice interruption information is off, and the cumulative counting is not turned on;
  • the nth application task When the nth application task is running, and the time slice interruption occurs and the time t of the cumulative count is not the start point of the new task, the nth application task continues to run, the state of other tasks remains unchanged, and the system state remains in the state Sn;
  • the status of the nth application task changes from the running state to the suspended state, and the value of the n+1th application task
  • the state changes from the suspended state to the running state, and the system state changes from the state Sn to Sn+1;
  • the idle task state changes from the running state to the ready state, and the nth application task or the n+1th application task is suspended.
  • the starting state becomes the running state, and the system state changes from state M to Sn or Sn+1;
  • the status of the nth application task changes from running state to suspended state, the state of idle tasks changes from ready state to running state, and the system state changes from state Sn to state M;
  • the time slice is interrupted, and when the Nth application task ends early, the status of the Nth application task changes from running to suspended, the status of idle tasks changes from ready to running, and the system status changes from State SN transitions to state S0.
  • the operating system function module database further includes operating system global properties
  • the device further includes:
  • the verification module is used to input the global nature of the operating system into the established formal model of the operating system requirement layer based on the finite state machine to determine whether the model meets the global nature, thereby verifying whether the operating system requirement layer is reliable.
  • the present invention has the following advantages:
  • the method for formal modeling of the operating system requirement layer based on the finite state machine determines the system state of the operating system according to the sub-state corresponding to each functional module of the operating system and the operation that causes the sub-state to change And trigger events that cause system state changes, establish a formal model of the operating system demand layer based on a finite state machine, which can accurately describe the operating process of the operating system and lay the foundation for the next step of formal verification of the operating system demand layer;
  • the present invention is not only applicable to the spacecraft operating system, but also applicable to other embedded safety-critical systems, and has good reusability, adaptability and flexibility;
  • Three sub-modules are selected to form the smallest system, which can reflect the most basic behavioral characteristics of the operating system.
  • the operating system model for safety-critical systems can be completely covered, which not only simplifies the system model, but also covers all core elements, making it easy to build Model and verification.
  • FIG. 1 is a flowchart of a method for formal modeling of operating system requirements layer based on a finite state machine according to an embodiment of the present invention
  • FIG. 2 is a state transition diagram of a formalized model of the operating system demand layer based on a finite state machine provided by an embodiment of the present invention
  • FIG. 3 is a schematic diagram of a formal modeling device for operating system requirements layer based on a finite state machine according to an embodiment of the present invention
  • Fig. 4 is a state transition diagram of a model provided by a specific embodiment of the present invention.
  • the embodiment of the present invention provides a method for formal modeling of the operating system requirement layer based on a finite state machine, including:
  • Step 101 In response to a request to model the operating system demand layer, obtain multiple functional modules corresponding to the operating system, at least two sub-states corresponding to each functional module, and cause sub-states of each functional module from the operating system functional module database At least one operation that has changed, wherein the operating system function module database stores the correspondence between the operating system, the function module, the sub-state of the function module, and the operation that causes the sub-state to change;
  • the operating system can be divided into seven parts according to functions: initialization, task management, interrupt management, time management, memory management, inter-task communication management, and peripheral management.
  • the operating system function module database can determine the function modules that the operating system has according to the requirements of the operating system; the function module sub-state refers to the state that characterizes the working condition of the function module, such as the running state of the task management module, the writing state of the memory management module, etc. ;
  • the operation that causes the sub-state to change refers to the operation that makes the functional module change from the first sub-state to the second sub-state.
  • the task suspension operation can change the task management module from the running state to the suspended state
  • the operating system function module database can determine the sub-states and corresponding operations of each function module according to the requirements of the operating system;
  • the operating system function module database may be stored in a local storage medium, or may be stored in a server;
  • Step 102 Determine the system state of the operating system according to the sub-state of each of the functional sub-modules, and determine the triggering event that causes the change of the system state according to the operation that causes the sub-state to change corresponding to each of the sub-modules;
  • the system state of the operating system can be determined according to the pre-established table of correspondence between the sub-state sequence of each functional module and the system state; according to the operation sequence that causes the sub-state of each functional module to change and the trigger event Correspondence table to determine the trigger event that caused the system state change; among them, the corresponding relationship table between the sub-state sequence of each functional module and the system state and the corresponding relationship table between the operation sequence and the trigger event that caused the sub-state change of each functional module can be operated according to System requirements are determined;
  • Step 103 According to the determined system state and the trigger event that caused the system state change, a formal model of the operating system demand layer based on the finite state machine is established.
  • the modeling method provided by the embodiment of the present invention can be implemented by MATLAB combined with simulink.
  • the embodiment of the present invention provides a finite state machine-based method for formal modeling of the operating system requirements layer, which determines the system state of the operating system and causes the system to change according to the sub-states corresponding to each functional module of the operating system and the operations that cause the sub-states to change.
  • the triggering event of state changes establishes a formal model of the operating system requirement layer based on a finite state machine, which can accurately describe the operating process of the operating system and lay the foundation for the next step of formal verification of the operating system requirement layer.
  • the method for establishing the operating system function module database includes:
  • the operating system requirement document may be a requirement specification document of on-board embedded operating system, which describes in detail the functional requirements and specifications of the operating system, and each functional module and its corresponding natural language requirements can be determined based on the description.
  • the multiple functional modules corresponding to the operating system include a task management module, an interrupt management module, and a time management module.
  • sub-states of the task management module include three task states: running state, ready state and suspended state; the sub-states of the interrupt management module include two states of control cycle interrupt and time slice interrupt; and the time management The sub-states of the module include two states: cumulative counting time and task start point.
  • module variables are sufficient to describe the status of each module of the operating system of the safety-critical system, and can ensure an accurate description of the system status.
  • operations that cause a change in the sub-state of the task management module include task suspension, task scheduling, task creation, task restart or task recovery; operations that cause a change in the sub-state of the interrupt management module include opening interrupts or closing interrupts; causing time
  • operations that change the sub-state of the management module include cumulative counting or clearing.
  • the determining the system state of the operating system according to the sub-state of each of the functional sub-modules includes:
  • the time slice interrupt information includes the time slice interrupt switch state and the accumulated counted time t;
  • the system state of the operating system is determined according to the task list and time slice interrupt information.
  • the trigger event that causes the system state change includes:
  • a formal model of the operating system demand layer based on the finite state machine is established, including:
  • the operating system After the operating system is initialized, it is in the initial state S0.
  • the operating system includes system tasks, N application tasks, and 1 idle task. N ⁇ 3. At this time, only idle tasks in the initial task list are in the running state, and other tasks are suspended In addition, the time slice interruption in the time slice interruption information is off, and the cumulative counting is not turned on;
  • the nth application task When the nth application task is running, and the time slice interruption occurs and the time t of the cumulative count is not the start point of the new task, the nth application task continues to run, the state of other tasks remains unchanged, and the system state remains in the state Sn;
  • the status of the nth application task changes from the running state to the suspended state, and the value of the n+1th application task
  • the state changes from the suspended state to the running state, and the system state changes from the state Sn to Sn+1;
  • the idle task state changes from the running state to the ready state, and the nth application task or the n+1th application task is suspended.
  • Starting state changes to running state, and the system state changes from state M to Sn or Sn+1;
  • the status of the nth application task changes from running state to suspended state, the state of idle tasks changes from ready state to running state, and the system state changes from state Sn to state M;
  • the time slice is interrupted, and when the Nth application task ends early, the status of the Nth application task changes from running to suspended, the status of idle tasks changes from ready to running, and the system status changes from State SN transitions to state S0.
  • the operating system function module database also includes the global nature of the operating system, and the method further includes:
  • the global property is that there is only one task state in the system that needs to be satisfied, such as the running state.
  • the embodiment of the present invention also provides a formal modeling device for operating system requirements layer based on finite state machine, including:
  • the obtaining module 10 is used to obtain multiple functional modules corresponding to the operating system, at least two sub-states corresponding to each functional module, and cause each function from the operating system functional module database in response to a request to model the operating system requirement layer At least one operation in which the sub-state of the module changes, wherein the operating system function module database stores the correspondence between the operating system, the function module, the sub-state of the function module, and the operation that causes the sub-state to change;
  • the determining module 20 is configured to determine the system state of the operating system according to the sub-state of each of the functional sub-modules, and determine the triggering event that causes the change of the system state according to the operation that causes the sub-state to change corresponding to each of the sub-modules;
  • the modeling module 30 is used to establish a formalized model of the operating system demand layer based on the finite state machine according to the determined system state and the trigger event that caused the system state change.
  • this embodiment provides a formal model of the operating system requirement layer for a spacecraft used in the space station project, which specifically includes the following methods:
  • the demand layer is abstracted, ignoring specific details, and an event-driven task transfer system model with time is established, which includes task management module, time management module and interrupt management module.
  • the finite state machine method is adopted in the formal modeling.
  • the system state includes two parts. One is the task state list, which is the state of each application task; the other is the state of the external interrupt switch (time slice interrupt information).
  • control cycle interruption IntControl time slice interruption IntTimeslice
  • time slice interruption IntTimeslice time slice interruption
  • task end early TaskEnd There are three types of trigger events for state transitions: control cycle interruption IntControl, time slice interruption IntTimeslice, and task end early TaskEnd.
  • T control cycle interruption
  • time slice interruption IntTimeslice time slice interruption
  • task end early TaskEnd There are three types of trigger events for state transitions: control cycle interruption IntControl, time slice interruption IntTimeslice, and task end early TaskEnd.
  • T time slice interruption IntTimeslice
  • task end early TaskEnd time
  • the requirement of the operating system is that the software can be executed after the hardware is powered on, and the scheduler can schedule and execute tasks under the specified resource and time requirements, and be able to respond to emergency events.
  • the minimum operating system kernel is divided into three parts: task management, interrupt management, and time management; the global nature includes that there is only one task in the system in the running state.
  • Task management module through a certain scheduling mechanism to schedule and execute tasks, manage the life cycle of tasks, and realize task state transitions;
  • Interrupt management module response management to external interrupts (control cycle interrupts and time slice interrupts);
  • Time management module management of real-time clock and timer
  • the variables of the task management module include three task states: running state, ready state and suspended state;
  • the variables of the interrupt management module include control cycle interrupts and time slice interrupts
  • the variables of the time management module include the cumulative counting time t and the task start point ts.
  • the operations of the task management module include task suspension, task scheduling, task creation, task restart or task recovery;
  • the operation of the interrupt management module includes open interrupt and close interrupt
  • the operation of the time management module includes accumulated counting and clearing.
  • the system state of the operating system is determined according to the variables of each of the functional sub-modules.
  • the operating system state is composed of the variables of the three sub-modules and consists of two parts: task list and time slice interrupt information:
  • Task list tasklist is the task status list of all tasks, and each system status corresponds to a task list;
  • Time slice interrupt information TS_status including the time t counted by the time slice interrupt switch state machine.
  • the time slice interrupt switch TS_status is divided into enable(t) and disable;
  • the operating system creates 12 tasks during initialization, including 10 application tasks, 1 idle task and 1 system task.
  • the initial state is waiting for the arrival of the control cycle interruption, and time slice interruption is not allowed, so the initial state s0 is defined as:
  • time slice interruption occurs. At this time, time t is not the starting point of the new task, and the idle task continues to run, maintaining the SM state;
  • time slice interrupt occurs.
  • time t is the start point of the new task.
  • the state of the idle task changes from the running state to the ready state, the task n changes from the suspended state to the running state, and the system state changes from SM To Sn(2 ⁇ n ⁇ 10);
  • the time slice interrupt is disabled.
  • the state of the task 10 changes from the running state to the suspended state
  • the state of the idle task changes from the running state to the running state
  • the system state changes from S10 Switch to S0.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Evolutionary Computation (AREA)
  • Geometry (AREA)
  • Debugging And Monitoring (AREA)

Abstract

A finite-state machine-based method and device for operating system requirement layer formal modeling, related to the field of embedded operating systems. The method: in response to a request to model an operating system requirement layer, from an operating system functional module database, acquiring multiple functional modules corresponding to an operating system, at least two sub-states corresponding to the functional modules, and at least one operation causing changes in the sub-states of the functional modules, where the operating system functional module database stores correlations between operating systems, functional modules, functional module sub-states, and operations causing changes in the sub-states (101); determining a system state of the operating system on the basis of the sub-states of the functional modules, and determining, on the basis of the operation causing changes in the sub-states corresponding to the modules, a trigger event causing a change in the system state (102); and establishing a finite-state machine-based operating system requirement layer formal model on the basis of the system state determined and of the trigger event causing the change in the system state (103). The method allows the accurate description of a working process of the operating system, thus laying the foundation for a formal verification in the next step, allowing the early discovery of the presence of any potential error, and facilitating the completion of the formal verification of the entire operating system.

Description

一种基于有限状态机的操作***需求层形式化建模方法及装置Method and device for formal modeling of operating system demand layer based on finite state machine
本申请要求于2019年4月28日提交中国专利局、申请号为201910351821.2、发明名称为“一种基于有限状态机的操作***需求层形式化建模方法及装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed with the Chinese Patent Office on April 28, 2019, the application number is 201910351821.2, and the invention title is "a method and device for formalized modeling of operating system requirements based on finite state machine" , Its entire content is incorporated in this application by reference.
技术领域Technical field
本发明涉及一种基于有限状态机的操作***需求层形式化建模方法及装置,属于嵌入式操作***领域。The invention relates to a method and device for formal modeling of the operating system demand layer based on a finite state machine, and belongs to the field of embedded operating systems.
背景技术Background technique
随着航天事业的迅猛发展,空间任务的规模及复杂度上升,空间飞行器上的软件规模也随之增加。这就对硬件提出更高的要求,但是空间计算机硬件资源有限,如何使计算机硬件资源得到更有效地利用就成为一个关键难题。因此,引入空间操作***就成为了必然趋势。操作***是紧靠硬件的第一层软件,是所有高层应用软件运行的支撑和基础,是计算机***里最重要的软件。操作***中的任何一个微小的错误都可能导致整个***的崩溃,因此操作***应该是一个高可靠、高可信的软件***,这是保证所有应用软件能可靠运行的基础。传统软件开发方法为了避免错误的出现,采用软件测试的方法来检测软件中可能存在的隐患。测试要依靠测试人员设计测试用例,经过长时间的大量测试来检测***是否有错误,可靠性和可信性只能靠堆积测试时间和测试量来加强。然而软件测试只能发现问题,不能确保测试用例涵盖所有情况,因此不能保证***没有问题。With the rapid development of the aerospace industry, the scale and complexity of space missions have increased, and the scale of software on space vehicles has also increased. This puts forward higher requirements for hardware, but space computer hardware resources are limited, and how to make computer hardware resources more effective has become a key problem. Therefore, the introduction of space operating systems has become an inevitable trend. The operating system is the first layer of software close to the hardware, the support and foundation for all high-level application software to run, and the most important software in a computer system. Any small error in the operating system may cause the entire system to crash. Therefore, the operating system should be a highly reliable and reliable software system, which is the basis for ensuring the reliable operation of all application software. In order to avoid errors, traditional software development methods use software testing methods to detect hidden dangers that may exist in the software. Testing relies on testers to design test cases. After a large number of tests for a long time, the system is tested for errors. Reliability and credibility can only be enhanced by accumulating test time and test volume. However, software testing can only find problems and cannot ensure that the test cases cover all situations, so there is no guarantee that the system is free of problems.
形式化方法是建立在严格数学基础上的用以对软硬件***进行说明、设计 和验证的语言、技术和工具的总称,形式化验证是使用逻辑推理来保证计算机程序正确性的方法之一,可以通过形式化的程序逻辑来验证一个程序是否满足已给定的规范。对于空间飞行器来说,安全性是第一要素。操作***是管理飞行器***的基础核心,决定了硬件***是否能够正常运行,应用软件是否能够完成预定任务。因此空间操作***的形式化验证具有重大的理论和实际意义。Formal method is a general term for languages, technologies and tools used to explain, design and verify software and hardware systems based on strict mathematics. Formal verification is one of the methods that use logical reasoning to ensure the correctness of computer programs. It is possible to verify whether a program meets the given specifications through formal program logic. For spacecraft, safety is the first element. The operating system is the basic core of managing the aircraft system, which determines whether the hardware system can operate normally and whether the application software can complete the scheduled tasks. Therefore, the formal verification of the space operating system has great theoretical and practical significance.
目前,针对操作***的形式化验证,主要针对边设计边验证的方法,构建的控制访问模型缺乏详细的需求层模型,无法完成从需求层开始的自顶向下的验证。At present, the formal verification of the operating system is mainly aimed at the method of designing and verifying. The control access model constructed lacks a detailed demand layer model and cannot complete the top-down verification from the demand layer.
发明内容Summary of the invention
本发明解决的技术问题是:克服现有技术的不足,提供了一种基于有限状态机的操作***需求层形式化建模方法,确保准确地描述操作***的运行过程,为下一步形式化验证奠定基础,以便更早地发现是否有潜在的错误,有助于完成整个操作***的形式化验证。The technical problem solved by the present invention is to overcome the shortcomings of the prior art, and provide a formal modeling method of the operating system requirement layer based on a finite state machine to ensure that the operating process of the operating system is accurately described, which is a formal verification for the next step Laying a foundation to find out whether there are potential errors earlier will help complete the formal verification of the entire operating system.
本发明的技术解决方案是:The technical solution of the present invention is:
一种基于有限状态机的操作***需求层形式化建模方法,包括:A formal modeling method of operating system requirement layer based on finite state machine, including:
响应于对操作***需求层进行建模的请求,从操作***功能模块数据库中,获取操作***对应的多个功能模块、各功能模块对应的至少两种子状态及引起各功能模块子状态发生变化的至少一种操作,其中所述操作***功能模块数据库中存储有操作***、功能模块、功能模块子状态及引起子状态发生变化的操作之间的对应关系;In response to a request to model the requirements layer of the operating system, from the operating system functional module database, obtain multiple functional modules corresponding to the operating system, at least two sub-states corresponding to each functional module, and the sub-states that caused each functional module to change At least one operation, wherein the operating system function module database stores the correspondence between the operating system, function modules, function module sub-states, and operations that cause the sub-state to change;
根据各所述功能子模块的子状态确定操作***的***状态,根据各所述子模块对应的引起子状态发生变化的操作,确定引起***状态变化的触发事件;Determine the system state of the operating system according to the sub-state of each of the functional sub-modules, and determine the triggering event that causes the change of the system state according to the operation that causes the sub-state to change corresponding to each of the sub-modules;
根据确定的***状态及引起***状态变化的触发事件,建立基于有限状态机的操作***需求层形式化模型。According to the determined system state and the triggering event that caused the system state change, a formal model of the operating system demand layer based on the finite state machine is established.
在一可选实施例中,所述操作***功能模块数据库的建立方法包括:In an optional embodiment, the method for establishing the operating system function module database includes:
根据操作***需求文档,确定操作***各功能模块及其对应的自然语言需求;According to the operating system requirements document, determine the functional modules of the operating system and their corresponding natural language requirements;
根据所述各功能模块的自然语言需求确定各功能模块的子状态及引起各功能模块子状态变化的至少一种操作;Determining the sub-state of each functional module and at least one operation that causes the sub-state of each functional module to change according to the natural language requirements of each functional module;
建立操作***、功能模块、功能模块子状态及引起子状态发生变化的操作之间的对应关系,得到操作***功能模块数据库。The corresponding relationship between the operating system, the function module, the function module sub-state and the operation that causes the sub-state to change is established to obtain the operating system function module database.
在一可选实施例中,所述操作***对应的多个功能模块包括任务管理模块、中断管理模块和时间管理模块。In an optional embodiment, the multiple functional modules corresponding to the operating system include a task management module, an interrupt management module, and a time management module.
在一可选实施例中,所述任务管理模块的子状态包括运行态、就绪态和挂起态三种任务状态;所述中断管理模块的子状态包括控制周期中断和时间片中断两种状态;所述时间管理模块的子状态包括累计计数时间和任务启动点两种状态。In an optional embodiment, the sub-states of the task management module include three task states: running state, ready state, and suspended state; the sub-states of the interrupt management module include two states: control cycle interrupt and time slice interrupt ; The sub-states of the time management module include two states: cumulative counting time and task start point.
在一可选实施例中,引起各功能模块子状态发生变化的至少一种操作,包括:In an optional embodiment, the at least one operation that causes the sub-state of each functional module to change includes:
引起任务管理模块子状态发生变化的操作包括任务挂起、任务调度、任务创建、任务重启动或任务恢复;Operations that cause the sub-state of the task management module to change include task suspension, task scheduling, task creation, task restart or task recovery;
引起中断管理模块子状态发生变化的操作包括开中断或关中断;The operations that cause the sub-state of the interrupt management module to change include opening or closing interrupts;
引起时间管理模块子状态发生变化的操作包括累计计数或清零。The operations that cause the sub-state of the time management module to change include cumulative counting or clearing.
在一可选实施例中,所述根据各所述功能子模块的子状态确定操作***的***状态,包括:In an optional embodiment, the determining the system state of the operating system according to the sub-state of each of the functional sub-modules includes:
根据所述任务管理模块的子状态确定操作***的任务列表,所述任务列表中包含所述任务管理模块中各类任务的任务状态;Determining the task list of the operating system according to the sub-state of the task management module, the task list containing the task status of various tasks in the task management module;
根据所述中断管理模块和时间管理模块的子状态确定操作***的时间片中断信息,所述时间片中断信息中包含时间片中断开关状态及累计计数的时间t;Determine the time slice interrupt information of the operating system according to the sub-states of the interrupt management module and the time management module, the time slice interrupt information includes the time slice interrupt switch state and the accumulated counted time t;
根据所述任务列表及时间片中断信息确定操作***的***状态。The system state of the operating system is determined according to the task list and time slice interrupt information.
在一可选实施例中,所述引起***状态变化的触发事件,包括:In an optional embodiment, the trigger event that causes the system state change includes:
控制周期中断、时间片中断和任务提前结束。Control cycle interruption, time slice interruption and task ending prematurely.
在一可选实施例中,根据确定的***状态及引起***状态变化的触发事件,建立基于有限状态机的操作***需求层形式化模型,包括:In an optional embodiment, according to the determined system state and the trigger event that causes the system state change, the establishment of a formal model of the operating system demand layer based on the finite state machine includes:
操作***初始化之后处于初始状态S0,所述操作***中包括***任务、N个应用任务和1个空闲任务,N≥3,此时初始任务列表中只有空闲任务处于运行态,其他任务处于挂起态;并且,时间片中断信息中时间片中断关、未开启累计计数;After the operating system is initialized, it is in the initial state S0. The operating system includes system tasks, N application tasks, and 1 idle task. N≥3. At this time, only idle tasks in the initial task list are in the running state, and other tasks are suspended In addition, the time slice interruption in the time slice interruption information is off, and the cumulative counting is not turned on;
当控制周期中断发生,且时间片中断开、开始累计计数为0,则第1个应用任务的状态由挂起态变为运行态,空闲任务的状态由运行态变为就绪态,***状态由初始状态S0转换到状态S1;When the control cycle interruption occurs, and the time slice is disconnected, and the starting accumulative count is 0, the state of the first application task changes from the suspended state to the running state, and the state of the idle task changes from the running state to the ready state, and the system state Transition from initial state S0 to state S1;
在第1个应用任务运行,且时间片中断发生、累计计数的时间t为新任务启动点时,第1个应用任务的状态由运行态变为挂起态,第n个应用任务的状态由挂起态变为运行态,***状态由状态S1转换为状态Sn,其中,2≤n≤N-1;When the first application task is running and the time slice interruption occurs and the time t of the cumulative count is the start point of the new task, the status of the first application task changes from running to suspended, and the status of the nth application task is changed from The suspended state changes to the running state, and the system state changes from state S1 to state Sn, where 2≤n≤N-1;
在第1个应用任务提前结束,且时间片中断开时,第1个应用任务的状态由运行态变为挂起态,空闲任务的状态由就绪态变为运行态,***状态由状态S1转换到状态M;When the first application task ends prematurely and the time slice is disconnected, the state of the first application task changes from running state to suspended state, the state of idle tasks changes from ready state to running state, and the system state changes from state S1 Transition to state M;
在第n个应用任务运行,且时间片中断发生、累计计数的时间t不是新任务启动点时,第n个应用任务继续运行,其他任务状态保持不变,***状态保持状态Sn;When the nth application task is running, and the time slice interruption occurs and the time t of the cumulative count is not the start point of the new task, the nth application task continues to run, the state of other tasks remains unchanged, and the system state remains in the state Sn;
在第n个应用任务运行,且时间片中断发生、累计计数的时间t是新任务启动点时,第n个应用任务的状态由运行态变为挂起态,第n+1个应用任务的状态由挂起态变为运行态,***状态由状态Sn变为Sn+1;When the nth application task is running, and the time slice interruption occurs and the time t of the cumulative count is the start point of the new task, the status of the nth application task changes from the running state to the suspended state, and the value of the n+1th application task The state changes from the suspended state to the running state, and the system state changes from the state Sn to Sn+1;
空闲任务在运行,且时间片中断发生、累计计数的时间t不是新任务启动点时,空闲任务继续运行,其他任务状态保持不变,***状态保持状态M;When the idle task is running, and the time slice interruption occurs and the time t of the accumulated count is not the start point of the new task, the idle task continues to run, the state of other tasks remains unchanged, and the system state remains in state M;
空闲任务在运行时,且时间片中断发生、累计计数的时间t是新任务启动点时,空闲任务状态由运行态变为就绪态,第n个应用任务或第n+1个应用任 务由挂起态变为运行态,***状态由状态M变为Sn或Sn+1;When the idle task is running and the time slice interruption occurs and the time t of the cumulative count is the start point of the new task, the idle task state changes from the running state to the ready state, and the nth application task or the n+1th application task is suspended. The starting state becomes the running state, and the system state changes from state M to Sn or Sn+1;
第n个应用任务提前结束时,第n个应用任务的状态由运行态变为挂起态,空闲任务的状态由就绪态变为运行态,***状态由状态Sn转化为状态M;When the nth application task ends early, the status of the nth application task changes from running state to suspended state, the state of idle tasks changes from ready state to running state, and the system state changes from state Sn to state M;
第n+1个应用任务提前结束时,第n+1个应用任务的状态由运行态变为挂起态,空闲任务的状态由就绪态变为运行态,***状态由状态Sn+1转化为状态M;When the n+1th application task ends prematurely, the state of the n+1th application task changes from running state to suspended state, the state of idle tasks changes from ready state to running state, and the system state changes from state Sn+1 to State M;
进入状态SN后,时间片中断关,第N个应用任务提前结束时,第N个应用任务的状态由运行态变为挂起态,空闲任务的状态由就绪态变为运行态,***状态由状态SN转换到状态S0。After entering the state SN, the time slice is interrupted, and when the Nth application task ends early, the status of the Nth application task changes from running to suspended, the status of idle tasks changes from ready to running, and the system status changes from State SN transitions to state S0.
在一可选实施例中,所述操作***功能模块数据库中还包括操作***全局性质,所述方法还包括:In an optional embodiment, the operating system function module database further includes operating system global properties, and the method further includes:
判断所述模型是否满足全局性质,若满足,则所述操作***需求层可靠,若否,则所述操作***需求层不可靠。It is determined whether the model satisfies the global nature, if it is satisfied, the operating system requirement layer is reliable, if not, the operating system requirement layer is unreliable.
本发明实施例还提供了一种基于有限状态机的操作***需求层形式化建模装置,包括:The embodiment of the present invention also provides a formal modeling device of the operating system requirement layer based on the finite state machine, including:
获取模块,用于响应于对操作***需求层进行建模的请求,从操作***功能模块数据库中,获取操作***对应的多个功能模块、各功能模块对应的至少两种子状态及引起各功能模块子状态发生变化的至少一种操作,其中所述操作***功能模块数据库中存储有操作***、功能模块、功能模块子状态及引起子状态发生变化的操作之间的对应关系;The acquisition module is used to obtain multiple functional modules corresponding to the operating system, at least two sub-states corresponding to each functional module, and cause each functional module from the operating system functional module database in response to a request to model the operating system requirement layer At least one operation in which the sub-state changes, wherein the operating system function module database stores the correspondence between the operating system, the function module, the sub-state of the function module, and the operation that causes the sub-state to change;
确定模块,用于根据各所述功能子模块的子状态确定操作***的***状态,根据各所述子模块对应的引起子状态发生变化的操作,确定引起***状态变化的触发事件;The determining module is configured to determine the system state of the operating system according to the sub-state of each of the functional sub-modules, and determine the triggering event that causes the change of the system state according to the operation that causes the sub-state to change corresponding to each of the sub-modules;
建模模块,用于根据确定的***状态及引起***状态变化的触发事件,建立基于有限状态机的操作***需求层形式化模型。The modeling module is used to establish a formal model of the operating system demand layer based on the finite state machine according to the determined system state and the trigger event that causes the system state change.
在一可选实施例中,所述操作***功能模块数据库的建立方法包括:In an optional embodiment, the method for establishing the operating system function module database includes:
根据操作***需求文档,确定操作***各功能模块及其对应的自然语言需求;According to the operating system requirements document, determine the functional modules of the operating system and their corresponding natural language requirements;
根据所述各功能模块的自然语言需求确定各功能模块的子状态及引起各功能模块子状态变化的至少一种操作;Determining the sub-state of each functional module and at least one operation that causes the sub-state of each functional module to change according to the natural language requirements of each functional module;
建立操作***、功能模块、功能模块子状态及引起子状态发生变化的操作之间的对应关系,得到操作***功能模块数据库。The corresponding relationship between the operating system, the function module, the function module sub-state and the operation that causes the sub-state to change is established to obtain the operating system function module database.
在一可选实施例中,所述操作***对应的多个功能模块包括任务管理模块、中断管理模块和时间管理模块。In an optional embodiment, the multiple functional modules corresponding to the operating system include a task management module, an interrupt management module, and a time management module.
在一可选实施例中,所述任务管理模块的子状态包括运行态、就绪态和挂起态三种任务状态;所述中断管理模块的子状态包括控制周期中断和时间片中断两种状态;所述时间管理模块的子状态包括累计计数时间和任务启动点两种状态。In an optional embodiment, the sub-states of the task management module include three task states: running state, ready state, and suspended state; the sub-states of the interrupt management module include two states: control cycle interrupt and time slice interrupt ; The sub-states of the time management module include two states: cumulative counting time and task start point.
在一可选实施例中,引起各功能模块子状态发生变化的至少一种操作,包括:In an optional embodiment, the at least one operation that causes the sub-state of each functional module to change includes:
引起任务管理模块子状态发生变化的操作包括任务挂起、任务调度、任务创建、任务重启动或任务恢复;Operations that cause the sub-state of the task management module to change include task suspension, task scheduling, task creation, task restart or task recovery;
引起中断管理模块子状态发生变化的操作包括开中断或关中断;The operations that cause the sub-state of the interrupt management module to change include opening or closing interrupts;
引起时间管理模块子状态发生变化的操作包括累计计数或清零。The operations that cause the sub-state of the time management module to change include cumulative counting or clearing.
在一可选实施例中,所述根据各所述功能子模块的子状态确定操作***的***状态,包括:In an optional embodiment, the determining the system state of the operating system according to the sub-state of each of the functional sub-modules includes:
根据所述任务管理模块的子状态确定操作***的任务列表,所述任务列表中包含所述任务管理模块中各类任务的任务状态;Determining the task list of the operating system according to the sub-state of the task management module, the task list containing the task status of various tasks in the task management module;
根据所述中断管理模块和时间管理模块的子状态确定操作***的时间片中断信息,所述时间片中断信息中包含时间片中断开关状态及累计计数的时间t;Determine the time slice interrupt information of the operating system according to the sub-states of the interrupt management module and the time management module, the time slice interrupt information includes the time slice interrupt switch state and the accumulated counted time t;
根据所述任务列表及时间片中断信息确定操作***的***状态。The system state of the operating system is determined according to the task list and time slice interrupt information.
在一可选实施例中,所述引起***状态变化的触发事件,包括:In an optional embodiment, the trigger event that causes the system state change includes:
控制周期中断、时间片中断和任务提前结束。Control cycle interruption, time slice interruption and task ending prematurely.
在一可选实施例中,根据确定的***状态及引起***状态变化的触发事件,建立基于有限状态机的操作***需求层形式化模型,包括:In an optional embodiment, according to the determined system state and the trigger event that causes the system state change, the establishment of a formal model of the operating system demand layer based on the finite state machine includes:
操作***初始化之后处于初始状态S0,所述操作***中包括***任务、N个应用任务和1个空闲任务,N≥3,此时初始任务列表中只有空闲任务处于运行态,其他任务处于挂起态;并且,时间片中断信息中时间片中断关、未开启累计计数;After the operating system is initialized, it is in the initial state S0. The operating system includes system tasks, N application tasks, and 1 idle task. N≥3. At this time, only idle tasks in the initial task list are in the running state, and other tasks are suspended In addition, the time slice interruption in the time slice interruption information is off, and the cumulative counting is not turned on;
当控制周期中断发生,且时间片中断开、开始累计计数为0,则第1个应用任务的状态由挂起态变为运行态,空闲任务的状态由运行态变为就绪态,***状态由初始状态S0转换到状态S1;When the control cycle interruption occurs, and the time slice is disconnected, and the starting accumulative count is 0, the state of the first application task changes from the suspended state to the running state, and the state of the idle task changes from the running state to the ready state, and the system state Transition from initial state S0 to state S1;
在第1个应用任务运行,且时间片中断发生、累计计数的时间t为新任务启动点时,第1个应用任务的状态由运行态变为挂起态,第n个应用任务的状态由挂起态变为运行态,***状态由状态S1转换为状态Sn,其中,2≤n≤N-1;When the first application task is running and the time slice interruption occurs and the time t of the cumulative count is the start point of the new task, the status of the first application task changes from running to suspended, and the status of the nth application task is changed from The suspended state changes to the running state, and the system state changes from state S1 to state Sn, where 2≤n≤N-1;
在第1个应用任务提前结束,且时间片中断开时,第1个应用任务的状态由运行态变为挂起态,空闲任务的状态由就绪态变为运行态,***状态由状态S1转换到状态M;When the first application task ends prematurely and the time slice is disconnected, the state of the first application task changes from running state to suspended state, the state of idle tasks changes from ready state to running state, and the system state changes from state S1 Transition to state M;
在第n个应用任务运行,且时间片中断发生、累计计数的时间t不是新任务启动点时,第n个应用任务继续运行,其他任务状态保持不变,***状态保持状态Sn;When the nth application task is running, and the time slice interruption occurs and the time t of the cumulative count is not the start point of the new task, the nth application task continues to run, the state of other tasks remains unchanged, and the system state remains in the state Sn;
在第n个应用任务运行,且时间片中断发生、累计计数的时间t是新任务启动点时,第n个应用任务的状态由运行态变为挂起态,第n+1个应用任务的状态由挂起态变为运行态,***状态由状态Sn变为Sn+1;When the nth application task is running, and the time slice interruption occurs and the time t of the cumulative count is the start point of the new task, the status of the nth application task changes from the running state to the suspended state, and the value of the n+1th application task The state changes from the suspended state to the running state, and the system state changes from the state Sn to Sn+1;
空闲任务在运行,且时间片中断发生、累计计数的时间t不是新任务启动点时,空闲任务继续运行,其他任务状态保持不变,***状态保持状态M;When the idle task is running, and the time slice interruption occurs and the time t of the accumulated count is not the start point of the new task, the idle task continues to run, the state of other tasks remains unchanged, and the system state remains in state M;
空闲任务在运行时,且时间片中断发生、累计计数的时间t是新任务启动点时,空闲任务状态由运行态变为就绪态,第n个应用任务或第n+1个应用任 务由挂起态变为运行态,***状态由状态M变为Sn或Sn+1;When the idle task is running and the time slice interruption occurs and the time t of the cumulative count is the start point of the new task, the idle task state changes from the running state to the ready state, and the nth application task or the n+1th application task is suspended. The starting state becomes the running state, and the system state changes from state M to Sn or Sn+1;
第n个应用任务提前结束时,第n个应用任务的状态由运行态变为挂起态,空闲任务的状态由就绪态变为运行态,***状态由状态Sn转化为状态M;When the nth application task ends early, the status of the nth application task changes from running state to suspended state, the state of idle tasks changes from ready state to running state, and the system state changes from state Sn to state M;
第n+1个应用任务提前结束时,第n+1个应用任务的状态由运行态变为挂起态,空闲任务的状态由就绪态变为运行态,***状态由状态Sn+1转化为状态M;When the n+1th application task ends prematurely, the state of the n+1th application task changes from running state to suspended state, the state of idle tasks changes from ready state to running state, and the system state changes from state Sn+1 to State M;
进入状态SN后,时间片中断关,第N个应用任务提前结束时,第N个应用任务的状态由运行态变为挂起态,空闲任务的状态由就绪态变为运行态,***状态由状态SN转换到状态S0。After entering the state SN, the time slice is interrupted, and when the Nth application task ends early, the status of the Nth application task changes from running to suspended, the status of idle tasks changes from ready to running, and the system status changes from State SN transitions to state S0.
在一可选实施例中,所述操作***功能模块数据库中还包括操作***全局性质,所述装置还包括:In an optional embodiment, the operating system function module database further includes operating system global properties, and the device further includes:
验证模块,用于将所述操作***全局性质输入建立的基于有限状态机的操作***需求层形式化模型中,判断所述模型是否满足全局性质,从而验证操作***需求层是否可靠。The verification module is used to input the global nature of the operating system into the established formal model of the operating system requirement layer based on the finite state machine to determine whether the model meets the global nature, thereby verifying whether the operating system requirement layer is reliable.
本发明与现有技术相比具有如下优点:Compared with the prior art, the present invention has the following advantages:
(1)本发明实施例提供的基于有限状态机的操作***需求层形式化建模方法,通过根据操作***各功能模块对应的子状态及引起子状态发生变化的操作,确定操作***的***状态及引起***状态变化的触发事件,建立基于有限状态机的操作***需求层形式化模型,可以准确地描述操作***的运行过程,为下一步对操作***需求层进行形式化验证奠定了基础;(1) The method for formal modeling of the operating system requirement layer based on the finite state machine provided by the embodiment of the present invention determines the system state of the operating system according to the sub-state corresponding to each functional module of the operating system and the operation that causes the sub-state to change And trigger events that cause system state changes, establish a formal model of the operating system demand layer based on a finite state machine, which can accurately describe the operating process of the operating system and lay the foundation for the next step of formal verification of the operating system demand layer;
(2)本发明不仅适用于航天器操作***,对其他嵌入式安全关键***同样适用,具有良好的复用性、适应性和灵活性;(2) The present invention is not only applicable to the spacecraft operating system, but also applicable to other embedded safety-critical systems, and has good reusability, adaptability and flexibility;
(3)选择三个子模块构成了最小***,可以反映操作***最基本的行为特征,针对安全关键***的操作***模式可以完全覆盖,这样既简化了***模型,又涵盖了所有核心要素,便于建模与验证。(3) Three sub-modules are selected to form the smallest system, which can reflect the most basic behavioral characteristics of the operating system. The operating system model for safety-critical systems can be completely covered, which not only simplifies the system model, but also covers all core elements, making it easy to build Model and verification.
附图说明Description of the drawings
图1为本发明实施例提供的基于有限状态机的操作***需求层形式化建模方法的流程图;FIG. 1 is a flowchart of a method for formal modeling of operating system requirements layer based on a finite state machine according to an embodiment of the present invention;
图2为本发明实施例提供的基于有限状态机的操作***需求层形式化模型的状态转移图;2 is a state transition diagram of a formalized model of the operating system demand layer based on a finite state machine provided by an embodiment of the present invention;
图3为本发明实施例提供的基于有限状态机的操作***需求层形式化建模装置示意图;3 is a schematic diagram of a formal modeling device for operating system requirements layer based on a finite state machine according to an embodiment of the present invention;
图4为本发明一具体实施例提供的模型的状态转移图。Fig. 4 is a state transition diagram of a model provided by a specific embodiment of the present invention.
具体实施方式Detailed ways
以下将结合附图和具体实施例对本发明的具体实施方式做进一步详细说明。The specific embodiments of the present invention will be described in further detail below in conjunction with the drawings and specific embodiments.
本发明实施例提供了一种基于有限状态机的操作***需求层形式化建模方法,包括:The embodiment of the present invention provides a method for formal modeling of the operating system requirement layer based on a finite state machine, including:
步骤101:响应于对操作***需求层进行建模的请求,从操作***功能模块数据库中,获取操作***对应的多个功能模块、各功能模块对应的至少两种子状态及引起各功能模块子状态发生变化的至少一种操作,其中所述操作***功能模块数据库中存储有操作***、功能模块、功能模块子状态及引起子状态发生变化的操作之间的对应关系;Step 101: In response to a request to model the operating system demand layer, obtain multiple functional modules corresponding to the operating system, at least two sub-states corresponding to each functional module, and cause sub-states of each functional module from the operating system functional module database At least one operation that has changed, wherein the operating system function module database stores the correspondence between the operating system, the function module, the sub-state of the function module, and the operation that causes the sub-state to change;
具体地,本发明实施例中,操作***可以按功能划分为七个部分:初始化、任务管理、中断管理、时间管理、内存管理、任务间通信管理和外设管理等七个功能模块,所述操作***功能模块数据库可以根据操作***的需求确定操作***具有的功能模块;功能模块子状态是指表征该功能模块工作情况的状态,例如任务管理模块的运行状态、内存管理模块的写入状态等;相应地,引起子状态发生变化的操作是指,使功能模块由第一子状态转变为第二子状态的操作,例如,任务挂起操作可以使任务管理模块从运行状态变化为挂起状态;所述操作***功能模块数据库可以根据操作***的需求确定各功能模块子状态及对应 的操作;Specifically, in the embodiment of the present invention, the operating system can be divided into seven parts according to functions: initialization, task management, interrupt management, time management, memory management, inter-task communication management, and peripheral management. The operating system function module database can determine the function modules that the operating system has according to the requirements of the operating system; the function module sub-state refers to the state that characterizes the working condition of the function module, such as the running state of the task management module, the writing state of the memory management module, etc. ; Correspondingly, the operation that causes the sub-state to change refers to the operation that makes the functional module change from the first sub-state to the second sub-state. For example, the task suspension operation can change the task management module from the running state to the suspended state The operating system function module database can determine the sub-states and corresponding operations of each function module according to the requirements of the operating system;
本发明实施例中,操作***功能模块数据库可以存储在本地存储介质中,也可以存储在服务器中;In the embodiment of the present invention, the operating system function module database may be stored in a local storage medium, or may be stored in a server;
步骤102:根据各所述功能子模块的子状态确定操作***的***状态,根据各所述子模块对应的引起子状态发生变化的操作,确定引起***状态变化的触发事件;Step 102: Determine the system state of the operating system according to the sub-state of each of the functional sub-modules, and determine the triggering event that causes the change of the system state according to the operation that causes the sub-state to change corresponding to each of the sub-modules;
具体地,本发明实施例中,可以根据预先建立的各功能模块子状态序列与***状态对应关系表,确定操作***的***状态;根据引起各功能模块子状态发生变化的操作序列与触发事件的对应关系表,确定引起***状态变化的触发事件;其中,各功能模块子状态序列与***状态对应关系表以及引起各功能模块子状态发生变化的操作序列与触发事件的对应关系表均可以根据操作***要求确定;Specifically, in the embodiment of the present invention, the system state of the operating system can be determined according to the pre-established table of correspondence between the sub-state sequence of each functional module and the system state; according to the operation sequence that causes the sub-state of each functional module to change and the trigger event Correspondence table to determine the trigger event that caused the system state change; among them, the corresponding relationship table between the sub-state sequence of each functional module and the system state and the corresponding relationship table between the operation sequence and the trigger event that caused the sub-state change of each functional module can be operated according to System requirements are determined;
步骤103:根据确定的***状态及引起***状态变化的触发事件,建立基于有限状态机的操作***需求层形式化模型。Step 103: According to the determined system state and the trigger event that caused the system state change, a formal model of the operating system demand layer based on the finite state machine is established.
本发明实施例提供的建模方法可以通过MATLAB结合simulink实现。The modeling method provided by the embodiment of the present invention can be implemented by MATLAB combined with simulink.
本发明实施例提供的基于有限状态机的操作***需求层形式化建模方法,通过根据操作***各功能模块对应的子状态及引起子状态发生变化的操作,确定操作***的***状态及引起***状态变化的触发事件,建立基于有限状态机的操作***需求层形式化模型,可以准确地描述操作***的运行过程,为下一步对操作***需求层进行形式化验证奠定了基础。The embodiment of the present invention provides a finite state machine-based method for formal modeling of the operating system requirements layer, which determines the system state of the operating system and causes the system to change according to the sub-states corresponding to each functional module of the operating system and the operations that cause the sub-states to change. The triggering event of state changes establishes a formal model of the operating system requirement layer based on a finite state machine, which can accurately describe the operating process of the operating system and lay the foundation for the next step of formal verification of the operating system requirement layer.
在一可选实施例中,所述操作***功能模块数据库的建立方法包括:In an optional embodiment, the method for establishing the operating system function module database includes:
a、根据操作***需求文档,确定操作***各功能模块及其对应的自然语言需求;a. Determine each functional module of the operating system and its corresponding natural language requirements according to the operating system requirements document;
其中,操作***需求文档,例如可以为星载嵌入式操作***需求规格说明的文档,详细描述了操作***的功能需求及规格说明,根据描述可以确定各功能模块及其对应的自然语言需求。Among them, the operating system requirement document, for example, may be a requirement specification document of on-board embedded operating system, which describes in detail the functional requirements and specifications of the operating system, and each functional module and its corresponding natural language requirements can be determined based on the description.
b、根据所述各功能模块的自然语言需求确定各功能模块的子状态及引起各功能模块子状态变化的至少一种操作;b. Determine the sub-state of each functional module and at least one operation that causes the sub-state of each functional module to change according to the natural language requirements of each functional module;
c、建立操作***、功能模块、功能模块子状态及引起子状态发生变化的操作之间的对应关系,得到操作***功能模块数据库。c. Establish the correspondence between the operating system, function modules, function module sub-states and operations that cause the sub-state to change, and obtain the operating system function module database.
在一可选实施例中,所述操作***对应的多个功能模块包括任务管理模块、中断管理模块和时间管理模块。In an optional embodiment, the multiple functional modules corresponding to the operating system include a task management module, an interrupt management module, and a time management module.
这三个模块构成了最小***,可以反映操作***最基本的行为特征,针对安全关键***的操作***模式可以完全覆盖,这样既简化了***模型,又涵盖了所有核心要素,便于建模与验证。These three modules constitute the smallest system that can reflect the most basic behavioral characteristics of the operating system. The operating system model for safety-critical systems can be completely covered, which not only simplifies the system model, but also covers all core elements, which is convenient for modeling and verification. .
进一步地,所述任务管理模块的子状态包括运行态、就绪态和挂起态三种任务状态;所述中断管理模块的子状态包括控制周期中断和时间片中断两种状态;所述时间管理模块的子状态包括累计计数时间和任务启动点两种状态。Further, the sub-states of the task management module include three task states: running state, ready state and suspended state; the sub-states of the interrupt management module include two states of control cycle interrupt and time slice interrupt; and the time management The sub-states of the module include two states: cumulative counting time and task start point.
上述各模块变量足够描述安全关键***的操作***各模块状态,能够确保准确地描述***状态。The above-mentioned module variables are sufficient to describe the status of each module of the operating system of the safety-critical system, and can ensure an accurate description of the system status.
进一步地,引起任务管理模块子状态发生变化的操作包括任务挂起、任务调度、任务创建、任务重启动或任务恢复;引起中断管理模块子状态发生变化的操作包括开中断或关中断;引起时间管理模块子状态发生变化的操作包括累计计数或清零。Further, operations that cause a change in the sub-state of the task management module include task suspension, task scheduling, task creation, task restart or task recovery; operations that cause a change in the sub-state of the interrupt management module include opening interrupts or closing interrupts; causing time The operations that change the sub-state of the management module include cumulative counting or clearing.
上述各模块操作足够描述安全关键***的操作***各模块的变化行为,能够确保准确地描述***状态的变化。The above-mentioned module operations are sufficient to describe the change behavior of each module of the operating system of the safety-critical system, and can ensure accurate description of the change of the system state.
在一可选实施例中,所述根据各所述功能子模块的子状态确定操作***的***状态,包括:In an optional embodiment, the determining the system state of the operating system according to the sub-state of each of the functional sub-modules includes:
根据所述任务管理模块的子状态确定操作***的任务列表,所述任务列表中包含所述任务管理模块中各类任务的任务状态;Determining the task list of the operating system according to the sub-state of the task management module, the task list containing the task status of various tasks in the task management module;
根据所述中断管理模块和时间管理模块的子状态确定操作***的时间片中断信息,所述时间片中断信息中包含时间片中断开关状态及累计计数的时间t;Determine the time slice interrupt information of the operating system according to the sub-states of the interrupt management module and the time management module, the time slice interrupt information includes the time slice interrupt switch state and the accumulated counted time t;
根据所述任务列表及时间片中断信息确定操作***的***状态。The system state of the operating system is determined according to the task list and time slice interrupt information.
进一步地,所述引起***状态变化的触发事件,包括:Further, the trigger event that causes the system state change includes:
控制周期中断、时间片中断和任务提前结束。Control cycle interruption, time slice interruption and task ending prematurely.
如图1所示,在一可选实施例中,根据确定的***状态及引起***状态变化的触发事件,建立基于有限状态机的操作***需求层形式化模型,包括:As shown in Fig. 1, in an optional embodiment, according to the determined system state and the trigger event that caused the system state change, a formal model of the operating system demand layer based on the finite state machine is established, including:
操作***初始化之后处于初始状态S0,所述操作***中包括***任务、N个应用任务和1个空闲任务,N≥3,此时初始任务列表中只有空闲任务处于运行态,其他任务处于挂起态;并且,时间片中断信息中时间片中断关、未开启累计计数;After the operating system is initialized, it is in the initial state S0. The operating system includes system tasks, N application tasks, and 1 idle task. N≥3. At this time, only idle tasks in the initial task list are in the running state, and other tasks are suspended In addition, the time slice interruption in the time slice interruption information is off, and the cumulative counting is not turned on;
当控制周期中断发生,且时间片中断开、开始累计计数为0,则第1个应用任务的状态由挂起态变为运行态,空闲任务的状态由运行态变为就绪态,***状态由初始状态S0转换到状态S1;When the control cycle interruption occurs, and the time slice is disconnected, and the starting accumulative count is 0, the state of the first application task changes from the suspended state to the running state, and the state of the idle task changes from the running state to the ready state, and the system state Transition from initial state S0 to state S1;
在第1个应用任务运行,且时间片中断发生、累计计数的时间t为新任务启动点时,第1个应用任务的状态由运行态变为挂起态,第n个应用任务的状态由挂起态变为运行态,***状态由状态S1转换为状态Sn,其中,2≤n≤N-1;When the first application task is running and the time slice interruption occurs and the time t of the cumulative count is the start point of the new task, the status of the first application task changes from running to suspended, and the status of the nth application task is changed from The suspended state changes to the running state, and the system state changes from state S1 to state Sn, where 2≤n≤N-1;
在第1个应用任务提前结束,且时间片中断开时,第1个应用任务的状态由运行态变为挂起态,空闲任务的状态由就绪态变为运行态,***状态由状态S1转换到状态M;When the first application task ends prematurely and the time slice is disconnected, the state of the first application task changes from running state to suspended state, the state of idle tasks changes from ready state to running state, and the system state changes from state S1 Transition to state M;
在第n个应用任务运行,且时间片中断发生、累计计数的时间t不是新任务启动点时,第n个应用任务继续运行,其他任务状态保持不变,***状态保持状态Sn;When the nth application task is running, and the time slice interruption occurs and the time t of the cumulative count is not the start point of the new task, the nth application task continues to run, the state of other tasks remains unchanged, and the system state remains in the state Sn;
在第n个应用任务运行,且时间片中断发生、累计计数的时间t是新任务启动点时,第n个应用任务的状态由运行态变为挂起态,第n+1个应用任务的状态由挂起态变为运行态,***状态由状态Sn变为Sn+1;When the nth application task is running, and the time slice interruption occurs and the time t of the cumulative count is the start point of the new task, the status of the nth application task changes from the running state to the suspended state, and the value of the n+1th application task The state changes from the suspended state to the running state, and the system state changes from the state Sn to Sn+1;
空闲任务在运行,且时间片中断发生、累计计数的时间t不是新任务启动点时,空闲任务继续运行,其他任务状态保持不变,***状态保持状态M;When the idle task is running, and the time slice interruption occurs and the time t of the accumulated count is not the start point of the new task, the idle task continues to run, the state of other tasks remains unchanged, and the system state remains in state M;
空闲任务在运行时,且时间片中断发生、累计计数的时间t是新任务启动点时,空闲任务状态由运行态变为就绪态,第n个应用任务或第n+1个应用任务由挂起态变为运行态,***状态由状态M变为Sn或Sn+1;When the idle task is running and the time slice interruption occurs and the time t of the cumulative count is the start point of the new task, the idle task state changes from the running state to the ready state, and the nth application task or the n+1th application task is suspended. Starting state changes to running state, and the system state changes from state M to Sn or Sn+1;
第n个应用任务提前结束时,第n个应用任务的状态由运行态变为挂起态,空闲任务的状态由就绪态变为运行态,***状态由状态Sn转化为状态M;When the nth application task ends early, the status of the nth application task changes from running state to suspended state, the state of idle tasks changes from ready state to running state, and the system state changes from state Sn to state M;
第n+1个应用任务提前结束时,第n+1个应用任务的状态由运行态变为挂起态,空闲任务的状态由就绪态变为运行态,***状态由状态Sn+1转化为状态M;When the n+1th application task ends prematurely, the state of the n+1th application task changes from running state to suspended state, the state of idle tasks changes from ready state to running state, and the system state changes from state Sn+1 to State M;
进入状态SN后,时间片中断关,第N个应用任务提前结束时,第N个应用任务的状态由运行态变为挂起态,空闲任务的状态由就绪态变为运行态,***状态由状态SN转换到状态S0。After entering the state SN, the time slice is interrupted, and when the Nth application task ends early, the status of the Nth application task changes from running to suspended, the status of idle tasks changes from ready to running, and the system status changes from State SN transitions to state S0.
进一步地,所述操作***功能模块数据库中还包括操作***全局性质,所述方法还包括:Further, the operating system function module database also includes the global nature of the operating system, and the method further includes:
判断所述模型是否满足所述全局性质,若满足,则所述操作***需求层可靠。It is determined whether the model satisfies the global property, and if so, the operating system requirement layer is reliable.
例如,所述全局性质为***中有且只有一个任务状态为运行态等全局需要满足的属性。For example, the global property is that there is only one task state in the system that needs to be satisfied, such as the running state.
如图3所示,本发明实施例还提供了一种基于有限状态机的操作***需求层形式化建模装置,包括:As shown in FIG. 3, the embodiment of the present invention also provides a formal modeling device for operating system requirements layer based on finite state machine, including:
获取模块10,用于响应于对操作***需求层进行建模的请求,从操作***功能模块数据库中,获取操作***对应的多个功能模块、各功能模块对应的至少两种子状态及引起各功能模块子状态发生变化的至少一种操作,其中所述操作***功能模块数据库中存储有操作***、功能模块、功能模块子状态及引起子状态发生变化的操作之间的对应关系;The obtaining module 10 is used to obtain multiple functional modules corresponding to the operating system, at least two sub-states corresponding to each functional module, and cause each function from the operating system functional module database in response to a request to model the operating system requirement layer At least one operation in which the sub-state of the module changes, wherein the operating system function module database stores the correspondence between the operating system, the function module, the sub-state of the function module, and the operation that causes the sub-state to change;
确定模块20,用于根据各所述功能子模块的子状态确定操作***的***状态,根据各所述子模块对应的引起子状态发生变化的操作,确定引起***状态 变化的触发事件;The determining module 20 is configured to determine the system state of the operating system according to the sub-state of each of the functional sub-modules, and determine the triggering event that causes the change of the system state according to the operation that causes the sub-state to change corresponding to each of the sub-modules;
建模模块30,用于根据确定的***状态及引起***状态变化的触发事件,建立基于有限状态机的操作***需求层形式化模型。The modeling module 30 is used to establish a formalized model of the operating system demand layer based on the finite state machine according to the determined system state and the trigger event that caused the system state change.
本发明实施例与上述方法实施例一一对应,具体效果及描述详见上述方法实施例,在此不再赘述。The embodiments of the present invention correspond to the foregoing method embodiments one-to-one, and the specific effects and descriptions are detailed in the foregoing method embodiments, which are not repeated here.
以下为本发明提供的一具体实施例:The following is a specific embodiment provided by the present invention:
如图4所示,本实施例提供了一种针对应用在空间站工程某航天器的操作***需求层形式化模型,具体包括以下方法:As shown in Figure 4, this embodiment provides a formal model of the operating system requirement layer for a spacecraft used in the space station project, which specifically includes the following methods:
在顶层对需求层进行抽象,忽略掉具体细节,建立了带时间的事件驱动任务转移***模型,包括了任务管理模块、时间管理模块和中断管理模块。At the top level, the demand layer is abstracted, ignoring specific details, and an event-driven task transfer system model with time is established, which includes task management module, time management module and interrupt management module.
在形式化建模中采用有限状态机方法,其中***状态包括两大部分,一是任务状态列表,也就是各个应用任务的状态;二是外部中断开关的状态(时间片中断信息)。状态转换的触发事件包括三种:控制周期中断IntControl、时间片中断IntTimeslice和任务提前结束TaskEnd。假设航天器控制计算机中,应用软件需要以T为控制周期,以timeslice为时间片进行任务的调度。以空间站工程某航天器为例,操作***软件中通常存在三类任务,应用任务,空闲任务以及***任务。本方法以N=10个应用任务为例,描述操作***需求层形式化建模方法。假设在每个控制周期T=160ms,时间片timeslice=4ms,每个周期共40个时间片(tick),初始时间片计数tick=0,期间实现11个任务的固定时间点的调度执行。The finite state machine method is adopted in the formal modeling. The system state includes two parts. One is the task state list, which is the state of each application task; the other is the state of the external interrupt switch (time slice interrupt information). There are three types of trigger events for state transitions: control cycle interruption IntControl, time slice interruption IntTimeslice, and task end early TaskEnd. Suppose that in the spacecraft control computer, the application software needs to use T as the control cycle and timeslice as the time slice for task scheduling. Taking a spacecraft in the space station project as an example, there are usually three types of tasks in the operating system software: application tasks, idle tasks, and system tasks. This method takes N=10 application tasks as an example to describe the formal modeling method of the operating system requirement layer. Assuming that in each control cycle T=160ms, time slice timeslice=4ms, each cycle has 40 time slices (tick), the initial time slice count tick=0, during which 11 tasks are scheduled and executed at a fixed time point.
具体方法如下:The specific method is as follows:
1)获取操作***需求文档,分析操作***及其功能子模块的自然语言需求及全局性质:1) Obtain the operating system requirements document, analyze the natural language requirements and global nature of the operating system and its functional sub-modules:
11)操作***的需求是硬件加电后能够执行软件,在规定的资源和时间要求下调度器对任务进行调度执行,并且能够响应紧急事件。按照功能划分,最小操作***内核分为三个部分:任务管理、中断管理、时间管理;全局性质包 括***中有且只有一个任务状态为运行态等。11) The requirement of the operating system is that the software can be executed after the hardware is powered on, and the scheduler can schedule and execute tasks under the specified resource and time requirements, and be able to respond to emergency events. According to the function division, the minimum operating system kernel is divided into three parts: task management, interrupt management, and time management; the global nature includes that there is only one task in the system in the running state.
12)任务管理模块:通过一定的调度机制对任务进行调度执行和管理任务生命周期并实现任务状态转换;12) Task management module: through a certain scheduling mechanism to schedule and execute tasks, manage the life cycle of tasks, and realize task state transitions;
13)中断管理模块:对外部中断(控制周期中断和时间片中断)进行响应管理;13) Interrupt management module: response management to external interrupts (control cycle interrupts and time slice interrupts);
14)时间管理模块:对实时时钟和定时器的管理;14) Time management module: management of real-time clock and timer;
2)根据所述各功能模块的自然语言需求确定各功能模块的变量(子状态):2) Determine the variables (sub-states) of each functional module according to the natural language requirements of each functional module:
21)任务管理模块的变量包括三种任务状态:运行态、就绪态和挂起态;21) The variables of the task management module include three task states: running state, ready state and suspended state;
22)中断管理模块的变量包括控制周期中断和时间片中断;22) The variables of the interrupt management module include control cycle interrupts and time slice interrupts;
23)时间管理模块的变量包括累计计数时间t和任务启动点ts。23) The variables of the time management module include the cumulative counting time t and the task start point ts.
3)根据所述各功能模块的自然语言需求确定各功能模块对应的引起变量变化的操作:3) According to the natural language requirements of each functional module, determine the operation that causes the variable change corresponding to each functional module:
31)任务管理模块的操作包括任务挂起、任务调度、任务创建、任务重启动或任务恢复;31) The operations of the task management module include task suspension, task scheduling, task creation, task restart or task recovery;
32)中断管理模块的操作包括开中断和关中断;32) The operation of the interrupt management module includes open interrupt and close interrupt;
33)时间管理模块的操作包括累计计数和清零。33) The operation of the time management module includes accumulated counting and clearing.
4)根据各所述功能子模块的变量确定操作***的***状态,操作***状态由三个子模块的变量组合而成,包含两部分:任务列表和时间片中断信息:4) The system state of the operating system is determined according to the variables of each of the functional sub-modules. The operating system state is composed of the variables of the three sub-modules and consists of two parts: task list and time slice interrupt information:
41)任务列表tasklist是所有任务的任务状态列表,每个***状态对应一个任务列表;41) Task list tasklist is the task status list of all tasks, and each system status corresponds to a task list;
42)时间片中断信息TS_status,包含时间片中断开关状态机累计计数的时间t,时间片中断开关TS_status分为enable(t)和disable两种情况;42) Time slice interrupt information TS_status, including the time t counted by the time slice interrupt switch state machine. The time slice interrupt switch TS_status is divided into enable(t) and disable;
5)根据各所述子模块对应的引起变量变化的操作,确定引起操作***状态变化的触发事件:5) Determine the trigger event that causes the operating system state change according to the operation that causes the variable change corresponding to each of the sub-modules:
51)控制周期中断IntControl;51) Control cycle interrupt IntControl;
52)时间片中断IntTimeslice;52) Time slice interrupt IntTimeslice;
53)任务提前结束TaskEnd;53) The task ends TaskEnd early;
6)根据确定的操作***状态及引起操作***状态变化的触发事件,确定操作***需求层形式化模型,所得模型的具体状态转移图如图2所示:6) According to the determined operating system state and the triggering event that caused the operating system state change, determine the formal model of the operating system demand layer, and the specific state transition diagram of the obtained model is shown in Figure 2:
61)操作***在初始化时创建了12个任务,包括10个应用任务,1个空闲任务和1个***任务,其中***任务始终处于挂起态;初始状态下只有空闲任务处于运行态,其他任务处于挂起态,因此初始任务列表定义为:init_tasklist::=(S,S,S,S,S,S,S,S,S,S,E,S)。并且初始状态在等待控制周期中断到来,不允许时间片中断,所以初始状态s0定义为:61) The operating system creates 12 tasks during initialization, including 10 application tasks, 1 idle task and 1 system task. The system task is always in the suspended state; in the initial state, only the idle task is in the running state, and the other tasks In the suspended state, the initial task list is defined as: init_tasklist::=(S, S, S, S, S, S, S, S, S, S, E, S). And the initial state is waiting for the arrival of the control cycle interruption, and time slice interruption is not allowed, so the initial state s0 is defined as:
init_state(s0)::={tasklist=init_tasklist,TS_status=disable}init_state(s0)::={tasklist=init_tasklist,TS_status=disable}
62)控制周期中断发生,开始时间片计数为0,时间片中断开enable;任务1的状态由挂起态变为运行态,空闲任务的状态由运行态变为就绪态,***状态由S0转换到S1;62) The control cycle interrupt occurs, the start time slice count is 0, and the time slice is disconnected enable; the status of task 1 changes from suspended to running, the status of idle tasks changes from running to ready, and the system status changes from S0 Switch to S1;
63)在时间片中断到来之前,时间片中断开enable,任务1提前结束,任务1的状态由运行态变为挂起态,空闲任务的状态由就绪态变为运行态,***状态由S1转换到SM;63) Before the time slice interrupt, enable is disconnected in the time slice, task 1 ends early, the state of task 1 changes from running state to suspended state, the state of idle tasks changes from ready state to running state, and the system state changes from S1 Switch to SM;
64)任务n在运行时,时间片中断发生,但此时时间t不是新任务启动点,任务n继续运行,保持Sn状态(1≤n≤10);64) When task n is running, the time slice interruption occurs, but at this time time t is not the starting point of the new task, task n continues to run, maintaining the Sn state (1≤n≤10);
65)任务n在运行时,时间片中断发生,此时时间t是新任务启动点,任务n的状态由运行态变为挂起态,任务n+1的状态由挂起态变为运行态,***状态由Sn转换到Sn+1(1≤n<10);65) When task n is running, a time slice interruption occurs. At this time, time t is the start point of the new task, the state of task n changes from running to suspended, and the state of task n+1 changes from suspended to running , The system state is changed from Sn to Sn+1 (1≤n<10);
66)空闲任务在运行时,时间片中断发生,此时时间t不是新任务启动点,空闲任务继续运行,保持SM状态;66) When the idle task is running, the time slice interruption occurs. At this time, time t is not the starting point of the new task, and the idle task continues to run, maintaining the SM state;
67)空闲任务在运行时,时间片中断发生,此时时间t是新任务启动点,空闲任务状态由运行态变为就绪态,任务n由挂起态变为运行态,***状态由SM转换到Sn(2≤n≤10);67) When the idle task is running, the time slice interrupt occurs. At this time, time t is the start point of the new task. The state of the idle task changes from the running state to the ready state, the task n changes from the suspended state to the running state, and the system state changes from SM To Sn(2≤n≤10);
68)任务n在运行时,提前结束放弃CPU,任务n的状态由运行态变为挂起态,空闲任务的状态由运行态变为运行态,***状态由Sn转换到SM(2≤n<10);68) When task n is running, the CPU is terminated early, the state of task n changes from running state to suspended state, the state of idle task changes from running state to running state, and the system state changes from Sn to SM (2≤n< 10);
69)进入S10状态后,时间片中断关(disable),任务10提前结束时,任务10的状态由运行态变为挂起态,空闲任务的状态由运行态变为运行态,***状态由S10转换到S0。69) After entering the S10 state, the time slice interrupt is disabled. When the task 10 ends early, the state of the task 10 changes from the running state to the suspended state, the state of the idle task changes from the running state to the running state, and the system state changes from S10 Switch to S0.
判断如图2所示的上述模型只有一个任务状态为运行态,从而验证操作***需求层可靠。It is judged that only one task state of the above model shown in Figure 2 is the running state, thereby verifying the reliability of the operating system demand layer.
以上所述,仅为本发明一个具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到的变化或替换,都应涵盖在本发明的保护范围之内。The above is only a specific embodiment of the present invention, but the protection scope of the present invention is not limited to this. Any person skilled in the art can easily think of changes or substitutions within the technical scope disclosed by the present invention. All should be covered within the protection scope of the present invention.
本发明未详细说明部分属于本领域技术人员公知常识。The parts of the present invention that are not described in detail belong to the common knowledge of those skilled in the art.

Claims (10)

  1. 一种基于有限状态机的操作***需求层形式化建模方法,其特征在于,包括:A formal modeling method of operating system requirement layer based on finite state machine, which is characterized in that it includes:
    响应于对操作***需求层进行建模的请求,从操作***功能模块数据库中,获取操作***对应的多个功能模块、各功能模块对应的至少两种子状态及引起各功能模块子状态发生变化的至少一种操作,其中所述操作***功能模块数据库中存储有操作***、功能模块、功能模块子状态及引起子状态发生变化的操作之间的对应关系;In response to a request to model the requirements layer of the operating system, from the operating system functional module database, obtain multiple functional modules corresponding to the operating system, at least two sub-states corresponding to each functional module, and the sub-states that caused each functional module to change At least one operation, wherein the operating system function module database stores the correspondence between the operating system, function modules, function module sub-states, and operations that cause the sub-state to change;
    根据各所述功能子模块的子状态确定操作***的***状态,根据各所述子模块对应的引起子状态发生变化的操作,确定引起***状态变化的触发事件;Determine the system state of the operating system according to the sub-state of each of the functional sub-modules, and determine the triggering event that causes the change of the system state according to the operation that causes the sub-state to change corresponding to each of the sub-modules;
    根据确定的***状态及引起***状态变化的触发事件,建立基于有限状态机的操作***需求层形式化模型。According to the determined system state and the triggering event that caused the system state change, a formal model of the operating system demand layer based on the finite state machine is established.
  2. 根据权利要求1所述的基于有限状态机的操作***需求层形式化建模方法,其特征在于,所述操作***功能模块数据库的建立方法包括:The method for formal modeling of operating system requirements layer based on finite state machine according to claim 1, wherein the method for establishing the operating system function module database comprises:
    根据操作***需求文档,确定操作***各功能模块及其对应的自然语言需求;According to the operating system requirements document, determine the functional modules of the operating system and their corresponding natural language requirements;
    根据所述各功能模块的自然语言需求确定各功能模块的子状态及引起各功能模块子状态变化的至少一种操作;Determining the sub-state of each functional module and at least one operation that causes the sub-state of each functional module to change according to the natural language requirements of each functional module;
    建立操作***、功能模块、功能模块子状态及引起子状态发生变化的操作之间的对应关系,得到操作***功能模块数据库。The corresponding relationship between the operating system, the function module, the function module sub-state and the operation that causes the sub-state to change is established to obtain the operating system function module database.
  3. 根据权利要求1或2所述的基于有限状态机的操作***需求层形式化建模方法,其特征在于,所述操作***对应的多个功能模块包括任务管理模块、中断管理模块和时间管理模块。The method for formal modeling of operating system requirements layer based on finite state machine according to claim 1 or 2, characterized in that the multiple functional modules corresponding to the operating system include a task management module, an interrupt management module, and a time management module .
  4. 根据权利要求3所述的基于有限状态机的操作***需求层形式化建模方法,其特征在于:The method for formal modeling of operating system requirements layer based on finite state machine according to claim 3, characterized in that:
    所述任务管理模块的子状态包括运行态、就绪态和挂起态三种任务状态;The sub-states of the task management module include three task states: a running state, a ready state and a suspended state;
    所述中断管理模块的子状态包括控制周期中断和时间片中断两种状态;The sub-states of the interrupt management module include two states: control cycle interrupt and time slice interrupt;
    所述时间管理模块的子状态包括累计计数时间和任务启动点两种状态。The sub-states of the time management module include two states: accumulated count time and task start point.
  5. 根据权利要求4所述的基于有限状态机的操作***需求层形式化建模方法,其特征在于,引起各功能模块子状态发生变化的至少一种操作,包括:The method for formal modeling of operating system requirements layer based on finite state machine according to claim 4, characterized in that at least one operation that causes the sub-state of each functional module to change includes:
    引起任务管理模块子状态发生变化的操作包括任务挂起、任务调度、任务创建、任务重启动或任务恢复;Operations that cause the sub-state of the task management module to change include task suspension, task scheduling, task creation, task restart or task recovery;
    引起中断管理模块子状态发生变化的操作包括开中断或关中断;The operations that cause the sub-state of the interrupt management module to change include opening or closing interrupts;
    引起时间管理模块子状态发生变化的操作包括累计计数或清零。The operations that cause the sub-state of the time management module to change include cumulative counting or clearing.
  6. 根据权利要求5所述的基于有限状态机的操作***需求层形式化建模方法,其特征在于,所述根据各所述功能子模块的子状态确定操作***的***状态,包括:The method for formal modeling of operating system requirements layer based on finite state machine according to claim 5, wherein said determining the system state of the operating system according to the sub-states of each of the functional sub-modules comprises:
    根据所述任务管理模块的子状态确定操作***的任务列表,所述任务列表中包含所述任务管理模块中各类任务的任务状态;Determining the task list of the operating system according to the sub-state of the task management module, the task list containing the task status of various tasks in the task management module;
    根据所述中断管理模块和时间管理模块的子状态确定操作***的时间片中断信息,所述时间片中断信息中包含时间片中断开关状态及累计计数的时间t;Determine the time slice interrupt information of the operating system according to the sub-states of the interrupt management module and the time management module, the time slice interrupt information includes the time slice interrupt switch state and the accumulated counted time t;
    根据所述任务列表及时间片中断信息确定操作***的***状态。The system state of the operating system is determined according to the task list and time slice interrupt information.
  7. 根据权利要求6所述的基于有限状态机的操作***需求层形式化建模方法,其特征在于,所述引起***状态变化的触发事件,包括:The method for formal modeling of the operating system demand layer based on a finite state machine according to claim 6, wherein the triggering event that causes a system state change comprises:
    控制周期中断、时间片中断和任务提前结束。Control cycle interruption, time slice interruption and task ending prematurely.
  8. 根据权利要求7所述的基于有限状态机的操作***需求层形式化建模方法,其特征在于,根据确定的***状态及引起***状态变化的触发事件,建立基于有限状态机的操作***需求层形式化模型,包括:The formal modeling method of the operating system demand layer based on the finite state machine of claim 7, wherein the operating system demand layer based on the finite state machine is established according to the determined system state and the trigger event that causes the system state change Formal models, including:
    操作***初始化之后处于初始状态S0,所述操作***中包括***任务、N个应用任务和1个空闲任务,N≥3,此时初始任务列表中只有空闲任务处于运行态,其他任务处于挂起态;并且,时间片中断信息中时间片中断关、未开启累计计数;After the operating system is initialized, it is in the initial state S0. The operating system includes system tasks, N application tasks, and 1 idle task. N≥3. At this time, only idle tasks in the initial task list are in the running state, and other tasks are suspended In addition, the time slice interruption in the time slice interruption information is off, and the cumulative counting is not turned on;
    当控制周期中断发生,且时间片中断开、开始累计计数为0,则第1个应用任务的状态由挂起态变为运行态,空闲任务的状态由运行态变为就绪态,***状态由初始状态S0转换到状态S1;When the control cycle interruption occurs, and the time slice is disconnected, and the starting accumulative count is 0, the state of the first application task changes from the suspended state to the running state, and the state of the idle task changes from the running state to the ready state, and the system state Transition from initial state S0 to state S1;
    在第1个应用任务运行,且时间片中断发生、累计计数的时间t为新任务启动点时,第1个应用任务的状态由运行态变为挂起态,第n个应用任务的状态由挂起态变为运行态,***状态由状态S1转换为状态Sn,其中,2≤n≤N-1;When the first application task is running and the time slice interruption occurs and the time t of the cumulative count is the start point of the new task, the status of the first application task changes from running to suspended, and the status of the nth application task is changed from The suspended state changes to the running state, and the system state changes from state S1 to state Sn, where 2≤n≤N-1;
    在第1个应用任务提前结束,且时间片中断开时,第1个应用任务的状态由运行态变为挂起态,空闲任务的状态由就绪态变为运行态,***状态由状态S1转换到状态M;When the first application task ends prematurely and the time slice is disconnected, the state of the first application task changes from running state to suspended state, the state of idle tasks changes from ready state to running state, and the system state changes from state S1 Transition to state M;
    在第n个应用任务运行,且时间片中断发生、累计计数的时间t不是新任务启动点时,第n个应用任务继续运行,其他任务状态保持不变,***状态保持状态Sn;When the nth application task is running, and the time slice interruption occurs and the time t of the cumulative count is not the start point of the new task, the nth application task continues to run, the state of other tasks remains unchanged, and the system state remains in the state Sn;
    在第n个应用任务运行,且时间片中断发生、累计计数的时间t是新任务启动点时,第n个应用任务的状态由运行态变为挂起态,第n+1个应用任务的状态由挂起态变为运行态,***状态由状态Sn变为Sn+1;When the nth application task is running, and the time slice interruption occurs and the time t of the cumulative count is the start point of the new task, the status of the nth application task changes from the running state to the suspended state, and the value of the n+1th application task The state changes from the suspended state to the running state, and the system state changes from the state Sn to Sn+1;
    空闲任务在运行,且时间片中断发生、累计计数的时间t不是新任务启动点时,空闲任务继续运行,其他任务状态保持不变,***状态保持状态M;When the idle task is running, and the time slice interruption occurs and the time t of the accumulated count is not the start point of the new task, the idle task continues to run, the state of other tasks remains unchanged, and the system state remains in state M;
    空闲任务在运行时,且时间片中断发生、累计计数的时间t是新任务启动点时,空闲任务状态由运行态变为就绪态,第n个应用任务或第n+1个应用任务由挂起态变为运行态,***状态由状态M变为Sn或Sn+1;When the idle task is running and the time slice interruption occurs and the time t of the cumulative count is the start point of the new task, the idle task state changes from the running state to the ready state, and the nth application task or the n+1th application task is suspended. Starting state changes to running state, and the system state changes from state M to Sn or Sn+1;
    第n个应用任务提前结束时,第n个应用任务的状态由运行态变为挂起态,空闲任务的状态由就绪态变为运行态,***状态由状态Sn转化为状态M;When the nth application task ends early, the status of the nth application task changes from running state to suspended state, the state of idle tasks changes from ready state to running state, and the system state changes from state Sn to state M;
    第n+1个应用任务提前结束时,第n+1个应用任务的状态由运行态变为挂起态,空闲任务的状态由就绪态变为运行态,***状态由状态Sn+1转化为状态M;When the n+1th application task ends prematurely, the state of the n+1th application task changes from running state to suspended state, the state of idle tasks changes from ready state to running state, and the system state changes from state Sn+1 to State M;
    进入状态SN后,时间片中断关,第N个应用任务提前结束时,第N个应 用任务的状态由运行态变为挂起态,空闲任务的状态由就绪态变为运行态,***状态由状态SN转换到状态S0。After entering the state SN, the time slice is interrupted, and when the Nth application task ends early, the status of the Nth application task changes from running to suspended, the status of idle tasks changes from ready to running, and the system status changes from State SN transitions to state S0.
  9. 根据权利要求1所述的基于有限状态机的操作***需求层形式化建模方法,其特征在于,所述操作***功能模块数据库中还包括操作***全局性质,所述方法还包括:The method for formal modeling of operating system requirements layer based on finite state machine according to claim 1, characterized in that the operating system function module database further includes the global nature of the operating system, and the method further comprises:
    判断所述模型是否满足所述全局性质,若满足,则所述操作***需求层可靠。It is determined whether the model satisfies the global property, and if so, the operating system requirement layer is reliable.
  10. 一种基于有限状态机的操作***需求层形式化建模装置,其特征在于,包括:A formal modeling device for operating system requirements layer based on finite state machine, which is characterized in that it includes:
    获取模块,用于响应于对操作***需求层进行建模的请求,从操作***功能模块数据库中,获取操作***对应的多个功能模块、各功能模块对应的至少两种子状态及引起各功能模块子状态发生变化的至少一种操作,其中所述操作***功能模块数据库中存储有操作***、功能模块、功能模块子状态及引起子状态发生变化的操作之间的对应关系;The acquisition module is used to obtain multiple functional modules corresponding to the operating system, at least two sub-states corresponding to each functional module, and cause each functional module from the operating system functional module database in response to a request to model the operating system requirement layer At least one operation in which the sub-state changes, wherein the operating system function module database stores the correspondence between the operating system, the function module, the sub-state of the function module, and the operation that causes the sub-state to change;
    确定模块,用于根据各所述功能子模块的子状态确定操作***的***状态,根据各所述子模块对应的引起子状态发生变化的操作,确定引起***状态变化的触发事件;The determining module is configured to determine the system state of the operating system according to the sub-state of each of the functional sub-modules, and determine the triggering event that causes the change of the system state according to the operation that causes the sub-state to change corresponding to each of the sub-modules;
    建模模块,用于根据确定的***状态及引起***状态变化的触发事件,建立基于有限状态机的操作***需求层形式化模型。The modeling module is used to establish a formal model of the operating system demand layer based on the finite state machine according to the determined system state and the trigger event that causes the system state change.
PCT/CN2020/086378 2019-04-28 2020-04-23 Finite-state machine-based method and device for operating system requirement layer formal modeling WO2020221097A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910351821.2A CN110134504A (en) 2019-04-28 2019-04-28 A kind of operating system demand layer Formal Modeling and device based on finite state machine
CN201910351821.2 2019-04-28

Publications (1)

Publication Number Publication Date
WO2020221097A1 true WO2020221097A1 (en) 2020-11-05

Family

ID=67575579

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/086378 WO2020221097A1 (en) 2019-04-28 2020-04-23 Finite-state machine-based method and device for operating system requirement layer formal modeling

Country Status (2)

Country Link
CN (1) CN110134504A (en)
WO (1) WO2020221097A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110134504A (en) * 2019-04-28 2019-08-16 北京控制工程研究所 A kind of operating system demand layer Formal Modeling and device based on finite state machine
CN111553070A (en) * 2020-04-24 2020-08-18 国电南瑞科技股份有限公司 Finite state machine modeling method and device for stabilizing action logic of control device and storage medium
CN115061736A (en) * 2022-05-19 2022-09-16 北京控制工程研究所 Dynamic task management method and system based on service registration mechanism
CN116450101B (en) * 2023-04-27 2024-04-09 睿珀智能科技有限公司 Software architecture design method, system and equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101290588A (en) * 2008-03-07 2008-10-22 重庆邮电大学 Micro-embedded real time task scheduling device and scheduling method
US20090024381A1 (en) * 2007-07-20 2009-01-22 Fujitsu Limited Simulation device for co-verifying hardware and software
CN109324885A (en) * 2018-09-13 2019-02-12 厦门拓宝科技有限公司 A kind of multitask management process applied to the monolithic processor controlled minimum operation system of UPS and based on minimum operation system
CN109684681A (en) * 2018-12-06 2019-04-26 西南电子技术研究所(中国电子科技集团公司第十研究所) Using the high layering verification method of UVM verification platform
CN110134504A (en) * 2019-04-28 2019-08-16 北京控制工程研究所 A kind of operating system demand layer Formal Modeling and device based on finite state machine

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090024381A1 (en) * 2007-07-20 2009-01-22 Fujitsu Limited Simulation device for co-verifying hardware and software
CN101290588A (en) * 2008-03-07 2008-10-22 重庆邮电大学 Micro-embedded real time task scheduling device and scheduling method
CN109324885A (en) * 2018-09-13 2019-02-12 厦门拓宝科技有限公司 A kind of multitask management process applied to the monolithic processor controlled minimum operation system of UPS and based on minimum operation system
CN109684681A (en) * 2018-12-06 2019-04-26 西南电子技术研究所(中国电子科技集团公司第十研究所) Using the high layering verification method of UVM verification platform
CN110134504A (en) * 2019-04-28 2019-08-16 北京控制工程研究所 A kind of operating system demand layer Formal Modeling and device based on finite state machine

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
ZHANG, JINKUN ET AL.: "Formal Verification of Operating System Requirements Layer Based on Finite State Machine", AEROSPACE CONTROL AND APPLICATION, vol. 45, no. 2, 23 April 2019 (2019-04-23), XP055750121, ISSN: 1674-1579, DOI: 10.3969/j.issn.1674-1579.2019.02.007 *

Also Published As

Publication number Publication date
CN110134504A (en) 2019-08-16

Similar Documents

Publication Publication Date Title
WO2020221097A1 (en) Finite-state machine-based method and device for operating system requirement layer formal modeling
Mall Real-time systems: theory and practice
Axer et al. Reliability analysis for MPSoCs with mixed-critical, hard real-time constraints
US10943041B2 (en) Electronic system level parallel simulation method with detection of conflicts of access to a shared memory
Mitra et al. Cross-layer resilience challenges: Metrics and optimization
US20080244592A1 (en) Multitask processing device and method
Basin et al. Monitoring data usage in distributed systems
CN103064770A (en) Dual-process redundancy transient fault tolerating method
de la Cámara et al. Verification support for ARINC‐653‐based avionics software
Sun et al. A pre-order relation for exact schedulability test of sporadic tasks on multiprocessor Global Fixed-Priority scheduling
Song et al. C'Mon: a predictable monitoring infrastructure for system-level latent fault detection and recovery
Cui et al. A novel approach to modeling and verifying real-time systems for high reliability
Reghenzani et al. Software fault tolerance in real-time systems: Identifying the future research questions
Ecker et al. Requirements and concepts for transaction level assertions
US20110087922A1 (en) Test method and tool for master-slave systems on multicore processors
Gu et al. A model-checking approach to schedulability analysis of global multiprocessor scheduling with fixed offsets
Karimi et al. On the correlation between controller faults and instruction-level errors in modern microprocessors
Sokolsky et al. Process-algebraic interpretation of AADL models
CN115204081A (en) Chip simulation method, chip simulation platform, chip simulation system, and computer-readable storage medium
Axer et al. Designing an analyzable and resilient embedded operating system
Ferdinand et al. Integration of code-level and system-level timing analysis for early architecture exploration and reliable timing verification
Singh et al. Conformance testing of ARINC 653 compliance for a safety critical RTOS using UPPAAL model checker
Zhou et al. A workload model based approach to evaluate the robustness of real-time operating system
Haur AUTOSAR compliant multi-core RTOS formal modeling and verification
Zhang et al. A review of OSEK/VDX application verification methods

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20798054

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20798054

Country of ref document: EP

Kind code of ref document: A1