| Software-implement fault tolerance (FT) is an effective way to achieve high availability and reliability. It takes two successive steps to tolerate faults in software: the error detection step aims to identify the presence of an error, while the recovery step aims to transfer abnormal states into normal ones. The effectiveness of a fault-tolerant mechanism depends on its fitness for an application context, including fault assumption, application domain, execution environment, etc. This constraint makes fault-tolerant mechanisms inflexible to the change of environment and user requirements. As a kind of Internet-scale software, Internetware runs in an open and dynamic environment, and consists of various third-party components. This openness leads to a fact that its behaviors may change continuously. When applying fault-tolerant mechanisms to Internetware, it is very likely that a formerly effective mechanism no longer works after the fault assumption, fault-tolerant requirements, or application-specific constraints are changed due to the change of execution environment or components upgrade.Reconfiguring fault-tolerant mechanisms for Internentware at runtime is a promising way to achieve high availability and reliability all the time. The reconfiguration includes adding a fault-tolerant mechanism to a non-fault-tolerant component, eliminating existing mechanism from a component, or switching between different mechanisms for a component. This thesis focuses on the above problem of dynamic reconfiguration of fault-tolerant mechanisms for Internetware.There are two major challenges in solving the problem. The first challenge is to make a clear separation between the software's functional parts and the fault-tolerant parts, and the relationships between these two parts have to be explicitly specified. Otherwise, it is hardly to modify the fault-tolerant parts without do harm to the functional parts. The second challenge is to ensure the correctness and the effectiveness of the dynamic reconfiguration of fault-tolerant mechanisms. In the thesis, we present a Software Architecture (SA)-based approach to achieve the goal.At first, in order to depict the relationship between fault-tolerant mechanisms and application components, we specify the fault-tolerant mechanisms suitable for Internetware as a special architectural style - fault-tolerant styles, which explicitly grasp the mechanisms'structural characters, behavioral characters, and the interactions with application components. The available fault-tolerant styles are also classified and well-organized for the sake of reuse. In addition, a formal model for fault-tolerant SA is given to enable the validation of the reconfiguration. The formal model covers the fault-tolerant styles and dependencies among components, and forms the theoretical foundation of the dynamic reconfiguration of fault-tolerant mechanisms.Second, in order to select the most suitable one from several fault-tolerant styles, we use model checking to obtain solid evidences. As a pre-process step, fault-tolerant styles'behavioral models are automatically translated into a model checker's verification model, and the fault-tolerant requirements and application-specific constraints are specified as fault-tolerant properties. Then the satisfactions of the required properties for candidate styles are verified by model checking. The satisfied properties and constraints are evidences for the selection.Third, in order to avoid the human mistakes in dynamic reconfiguration and alleviate maintainers'burden, we provide an automatic generation of the reconfiguration operations in middleware. As the first step, the scope of to-be-modified components in an application is automatically identified, with the help of dependency information provided by SA. Then the elements in a fault-tolerant style instance and those in the application are matched via the comparison of the style instance and application's architecture. At last, model transformation technique automatically merges the style instance and the application architecture, as well as generates a desired fault-tolerant configuration. The merged fault-tolerant SA can be verified for its effectiveness and correctness. At last, we present a framework supporting dynamic reconfigurable FT in middleware. It consists of a fault-tolerant sandbox design and an FT management service. The fault-tolerant sandbox is extended from generic component containers, and it acts as a unit of the reconfiguration. Different fault-tolerant styles are implemented as different combination of container interceptors in the sandboxes. The sandbox supports dynamic loading/unloading of the interceptors to implement the dynamic reconfiguration of fault-tolerant mechanisms. The FT management service acts as the coordinator of dynamic reconfiguration and recovery. The fault-tolerant configuration generated in the above SA-level planning is mapped to a sequence of middleware operations, with the help of Runtime Software Architecture, and executed by the framework. The framework provides transparent FT and dynamic reconfigurable FT for applications, and works well in PKUAS and JBoss.A JEE application, ECperf, is illustrated as a case study in the thesis. It shows the effectiveness of the proposed approach.
|
PDF Full Text Request