Towards Compositional Synthesis of Evolving Systems

Transcription

1 Towads Compositiona Synthesis of Evoving Systems Shiva Nejati Mehdad Sabetzadeh Masha Chechik Sebastian Uchite Pamea Zave Univesity of Toonto Toonto, Canada U. of Buenos Aies, Agentina & Impeia Coege London, UK AT&T Labs Reseach Foham Pak, NJ, USA ABSTRACT Synthesis of system configuations fom a given set of featues is an impotant and vey chaenging pobem. This pape makes a step towads this goa by descibing an efficient technique fo synthesizing pipeine configuations of featue-based systems. We identify and fomaize a design patten that is commony used in featuebased deveopment. We show that this patten enabes compositiona synthesis of featue aangements. In paticua, the patten aows us to add o emove featues fom an existing system without having to econfigue the system fom scatch. We descibe an impementation of ou technique and evauate its appicabiity and effectiveness using a set of teecommunication featues fom AT&T, aanged within the DFC achitectue. Categoies and Subject Desciptos D.2.1 [Softwae Engineeing]: Requiements/Specifications Genea Tems Design, Veification Keywods Featue-Based Deveopment, Synthesis, Behavioua Design Pattens, Pipeines, I/O Automata. 1. INTRODUCTION Featue-based deveopment has ong been used as a way to povide sepaation of concens, to faciitate maintenance and euse, and to suppot softwae customization based on end-use needs [34, 24, 18, 1, 25]. Individua featues typicay captue specific units of functionaity with diect eationships to the equiements that inspied the softwae system in the fist pace [15]. By cosey mioing equiements, featues make it easie to econfigue o expand a system as its undeying equiements change ove time. To meet the desiabe popeties expected fom a featue-based system, the inteactions among its featues need to be constained and ochestated. This is often done by putting featues in a suitabe aangement, typicay a inea one such as a stack o a pipeine, that inhibits undesiabe inteactions. Pemission to make digita o had copies of a o pat of this wok fo pesona o cassoom use is ganted without fee povided that copies ae not made o distibuted fo pofit o commecia advantage and that copies bea this notice and the fu citation on the fist page. To copy othewise, to epubish, to post on seves o to edistibute to ists, equies pio specific pemission and/o a fee. SIGSOFT 2008/FSE-16, Novembe 9 15, Atanta, Geogia, USA Copyight 2008 ACM $5.00. Existing eseach on featue inteaction anaysis, e.g., [33, 21, 19, 17, 31, 24, 14, 7], agey concentates on easoning about and esoving undesiabe inteactions between a set of featues whose aangement is given a pioi. Yet a compementay pobem, of how to automaticay synthesize an aangement when one is not given, has not been studied much. The pobem is impotant it cuenty takes substantia expetise and effot to find an aangement of featues that does not esut in undesiabe inteactions. Unfotunatey, a naive attempt at automaticay aanging featues is infeasibe: thee is an exponentia numbe of atenative aangements to conside when seaching fo a desiabe one. Hence, we need compositiona techniques that can educe the pobem of finding a desiabe aangement into smae subpobems. This need becomes even moe pessing in systems that evove ove time, whee featues ae peiodicay added, emoved, o evised. Without compositiona techniques fo synthesizing evoving systems, new aangements of featues may have to be ceated fom scatch afte each change. Ou goa is to povide compositiona techniques fo synthesizing softwae systems fom an evoving, abitaiy age set of (diffeent) featues. To achieve this goa, we daw inspiation fom the iteatue on component-based softwae. A genea way to enabe compositiona easoning about systems with an abitay numbe of components is by expoiting behavioua simiaities between components. Fo exampe, [13, 12] show that system-wide veification tasks can be decomposed if components exhibit identica o vituay identica behavious. The motivation fo the wok is veification of ow-eve opeating system potocos, e.g., mutua excusion whee sevea identica copies of a pocess attempt to ente a citica section. Moe ecent wok, e.g., [2], expoes simia ideas to bing compositiona easoning to softwae systems in which components have divese behavious. Thee, the equied degee of simiaity between components is achieved by having components impement a design patten. In this pape, we aim to study how the design pattens used in featue-based deveopment can enabe compositiona synthesis of featue aangements. We gound ou wok on pipeines popua achitectues fo buiding featue-based systems [4, 21, 19, 24] which aow one to define the ovea behaviou of a system in tems of a simpe composition of the behavious of the individua featues [36]. A common objective in designing featue pipeines is to minimize the visibiity of each featue to the est. This is to ensue that individua featues can opeate without eying on those appeaing befoe o afte them in the pipeine [36]. To eaize this objective, featues ae usuay designed such that they engage in defining the ovea behaviou of the system ony when they pefom thei function. Moe pecisey, featues ate the fow of signas in

2 downsteam CB RVM QT SFM AC NATO upsteam Figue 1: A simpified inea DFC scenaio. the pipeine ony when they ae poviding thei sevice; othewise, they et the signas pass though without side-effects. The abiity of a featue to emain unobsevabe to othe featues when it is not poviding its sevice is caed tanspaency. In this pape, we ague that tanspaency is sufficient to make pipeine synthesis compositiona, equiing the anaysis of just pais of featues to detemine thei eative ode in the ovea pipeine. In paticua, we make the foowing contibutions: 1. We fomaize the tanspaency patten of behaviou and show that fo featues impementing this patten, goba constaints can be infeed on the ode of the featues though paiwise anaysis of the featues. 2. We descibe a sound and compete compositiona agoithm fo synthesizing pipeine aangements. Given a set of featues and a set of safety popeties descibing undesiabe inteactions, ou agoithm computes an aangement of the featues that is safe fo the given popeties. Specificay, the agoithm uses the safety popeties to compute a set of paiwise odeing constaints between the featues. Due to the tanspaent behaviou of the featues, any goba odeing that vioates a paiwise odeing constaint can be deemed unsafe and puned fom the seach space of the soution, eaving a eativey sma numbe of goba odeings to be geneated and veified by the agoithm. Ou agoithm is change-awae in the sense that afte adding o modifying a featue, we need to update ony the paiwise odeing constaints eated to that paticua featue and euse the emaining constaints fom the pevious system. 3. We epot on a pototype impementation of ou synthesis agoithm, appying it to a set of AT&T teecom featues to find a safe aangement fo them in the Distibuted Featue Composition (DFC) achitectue [21]. Ou agoithm coud automaticay and efficienty compute a safe aangement fo the DFC featues in ou study. The est of the pape is oganized as foows. In Section 2, we motivate ou wok using an exampe fom the teecom domain. Afte fixing the notation and eviewing basic notions of efinement and mode checking in Section 3, we fomaize featues as I/O automata and define a notion of binding fo descibing pipeines in Section 4. Section 5 is the main contibution of the pape. It fomaizes the tanspaency patten that guaantees that synthesis can be done compositionay. We descibe ou synthesis agoithm in Section 6 and its impementation in Section 7. In Section 8, we evauate ou technique on a set of AT&T teecom featues. We eview eated wok and compae it with ou appoach in Section 9 and concude the pape with a summay of contibutions and an outine of futue eseach diections in Section MOTIVATION We motivate ou wok by anayzing a simpified instance of a teecom scenaio (see Figue 1). Featues in this scenaio ae aanged in a pipeine and incude Ca Bocking (CB), Recod Voice Ca Bocking (CB) s 0 s 1 initia cb. checking cb.eject; / cb./ cb. cb. s 3 bocked cb. t 0 initia vm./ vm. waiting cb.accept; / cb. s 2 ide Recod Voice Mai (RVM) vm./ vm. vm./ vm. cb. t 1 t 2 vm./ vm. vm./ vm. ide cb./ cb. vm. t 3 t 4 vm.es_unavai;/ vm. cb./ cb. check esouces vm.es_avai; / vm.voicemai; ecoding vm. vm. A abe ''e1/e2'' on a tansition indicates that the tansition is tiggeed by action ''e1'' and geneates action ''e2'' afte being taken. Tansitions can be tiggeed eithe by input actions, i.e., those eceived fom outside, o by intena actions. When taken, a tansition geneates zeo o moe intena o output actions. It is assumed that the actions geneated by a state machine do not tigge any tansition of that state machine. To distinguish between input, output, and intena actions, we append to each action e the symbo ''?'' if e is an input action, the symbo ''!'' if e is an output action, and the symbo '';'' if e is an intena action. Futhe, to disambiguate between the actions of diffeent state machines, we pefix evey action with the name of the state machine it beongs to. Figue 2: Ca Bocking (CB) and Recod Voice Mai (RVM). (a) RVM CB RVM CB Figue 3: Possibe odeings of the featues in Figue 2. Mai (RVM), Quiet Time (QT), Sequentia Find Me (SFM), No Answe Time Out (NATO), and Answe Confim (AC). Pipeine featues communicate by passing signas to thei immediate neighbous. Signas that tave end-to-end pass though a featues, aowing each featue to peceive and modify the ovea function of the pipeine. Fo exampe, Figue 1 shows the fow of the signas setup and unavai. Thee ae many othe signa types, but we show ony the most eevant ones hee.

3 (a) RVMCB CBRVM (s 0, t 0 ) initia, initia cb. / vm. vm. (s 1, t 1 ) (s 2, t 1 ) cb.eject; (s 3, t 2 ) vm. checking, waiting bocked, check esouces cb.accept; / cb. (s 3, t 4 ) vm.es_avai;/ vm.voicemai; ide, waiting bocked, ecoding vm. vm./ cb. cb. (s 0, t 0 ) initia, initia vm. / cb. (s 1, t 0 ) (s 2, t 1 ) cb. checking, initia cb.eject; / cb.unavai; (s 3, t 0 ) cb. vm. bocked, initia cb.accept; / vm. (s 2, t 2 ) cb. / vm. ide, waiting vm. ide, check esouces cb. Figue 4: Fagments of the compositions of the featues in Figue 2 with espect to the odeings in Figue 3. The communication between the featues in a pipeine is eithe buffeed o unbuffeed (synchonous). The fome faciitates eiabe communication but compicates easoning: it is known that veification of a distibuted system with unbounded buffes is undecidabe [5]. Instead, we assume that featues communicate though synchonous message passing, which makes fo moe tactabe easoning but imposes estictions on the design of featues: they shoud be esponsive to a potentia input at a time, i.e., they shoud be input-enabed. This equiement is captued in a numbe of standad fomaisms fo descibing concuent systems, e.g., I/O automata [26]. Fo exampe, a the featues in Figue 1 ae enabed fo setup and unavai. To efe to the diections within a pipeine, we use the tems upsteam (ight to eft) and downsteam (eft to ight). In ou exampe, the setup signa taves downsteam, and the unavai signa taves upsteam. Fo featues F and F in a pipeine, we wite F < F to indicate that F is upsteam ( to the eft of ) of F. Fo exampe, in Figue 1, CB < NATO. Figue 2 shows the state machines fo CB and RVM in the pipeine of Figue 1. The pupose of CB is to bock caing equests coming fom addesses on a bocked ist. CB becomes active by eceiving a setup signa containing initiaization data such as the diectoy numbes of the cae and caee. Using this data and its intena ogic, CB decides whethe the cae shoud be bocked. If so, it moves to the bocked state and teas down the ca; othewise, it moves to the ide state and effectivey becomes invisibe. The pupose of RVM is to ecod a voicemai message when the caee is not avaiabe. Like CB, RVM is activated on eceipt of a setup signa. It then emains in its waiting state unti it eceives an unavai signa, indicating that the caee is unavaiabe o unabe to eceive the ca. If the media esouce is avaiabe, RVM moves to the ecoding state and ets the cae eave a voicemai message. Othewise, if the media esouce is unavaiabe, e.g., the maibox quota fo the use is exceeded, RVM moves to its ide state. Featue Inteaction. The behaviou of the composition of the featues in a pipeine depends on the odeing of the featues, and the goa of ou wok is to synthesize an odeing which wi guaantee absence of undesiabe compositions. Fo exampe, suppose we ae tying to avoid the composition: RVM shoud not ecod a message if CB bocks the cae [37], fomaized as the foowing negative tace 1 : NS 1 = cb.eject; vm.voicemai; CB and RVM can be put in a pipeine one of the two ways, as shown in Figue 3. The odeing in Figue 3(a) yieds the composi- 1 The tace vm.voicemai; cb.eject; coud have been consideed instead of NS 1 as we. (a) A A a. a. a. a. B b. b.voicemai; C c. B b. b.voicemai; Figue 5: Loca odeing vs. goba odeing. tion in Figue 4(a), and the one in Figue 3 the composition in Figue 4. These compositions wee computed based on the paae composition semantics in synchonous mode of communication [29]. The composition in Figue 4(a) esuts in an undesiabe inteaction: the path fom (s 0, t 0) to (s 3, t 4) geneates the tace NS 1, i.e., vm.voicemai; comes afte cb.eject;. The composition in Figue 4, on the othe hand, does not exhibit NS 1, impying that CB shoud come befoe RVM in a pipeine. Note that due to ack of space, Figues 4(a) and ony show the eevant fagments of these compositions. Synthesis Chaenge. In genea, finding a suitabe odeing cannot be done compositionay when the featues in a pipeine have unconstained designs. Fo exampe, conside sampe featues A and B in Figue 5(a) and the popety A voicemai message shoud not be ecoded 2, i.e., action b.voicemai; must not be poduced by the composition of A and B. This popety does not hod ove eithe a pipeine in which A < B, o the one in which B < A. In the fome case, A sends setup to B, and B geneates b.voicemai;, and in the atte case, B eceives setup fom the envionment and geneates b.voicemai;. So, it may seem that the given coectness popety does not hod on a pipeine containing A and B. Howeve, conside the new featue C in Figue 5 which bocks the action setup. The pipeine A < C < B in Figue 5 satisfies the given coectness popety, i.e., the composition of these featues, when aanged in the above ode, does not geneate b.voicemai;. This exampe shows that, in genea, we may not be abe to infe a goba odeing ove the pipeine by anayzing subsets of components. Even though the given coectness popety ony concens B, ou anaysis needs to conside a the components in the pipeine. Hence, given n unesticted components, we need to check exponentiay many (n! O(2 n og n )) pipeine aangements to find one which satisfies the popeties of inteest. This is intactabe fo a but the most tivia pipeines. 2 This popety is used ony fo iustation.

4 (a) a b c s 0 s 1 s 2 s 3 Figue 6: Exampes of LTSs. b a a b s ab s b s ɛ Tanspaency Patten. To be abe to ift an odeing ove a subset of pipeine featues to the entie pipeine, we ey on a patten of behaviou caed tanspaency. Each featue impementing this patten can exhibit an execution aong which it is unobsevabe (tanspaent). When executing tanspaenty, a featue sends any signa eceived fom its eft to its ight, and any signa eceived fom its ight to its eft, possiby with some finite deay. Featues impementing the tanspaency patten can sti pefom thei specific functionaity via othe executions, o via unobsevabe behavious. Fo exampe, in Figue 2, CB s tanspaent execution is fom s 0 to s 2, and RVM s fom t 0 to t 3. CB behaves tanspaenty if the ca equest comes fom a non-bocked addess. In this case, the system poceeds as if CB wee neve pesent; othewise, CB povides its sevice by bocking the incoming ca, i.e., by taking the path fom s 0 to s 3. As fo RVM, the featue exhibits its tanspaent behaviou when its media esouce is unavaiabe; othewise, it aows the use to eave a voicemai message by taking the path fom t 0 to t 4. Fo pipeine featues impementing the tanspaency patten, we pove the foowing (Section 5): if a pipeine consisting of just two featues F and F whee F < F vioates a safety popety ϕ, a pipeine with an abitay numbe of components in which F < F vioates ϕ as we. This enabes a compositiona agoithm fo synthesizing pipeine odeings (Section 6). 3. PRELIMINARIES In this section, we fix the notation and povide backgound on composition semantics, efinement, and mode checking. Labeed Tansition Systems (LTS). An LTS is a tupe M = (S, s 0, E, R) whee S is a set of states, s 0 S is an initia state, E is a set of actions, and R S E S is a set of tansitions. We wite a tansition (s, e, s ) R as s e s. Two exampe LTSs ae shown in Figue 6. A tace of an LTS M is a finite sequence σ of actions that M can pefom stating at its initia state. Fo exampe, ɛ, a, ab, and abc ae taces of the LTS in Figue 6(a). The set of a taces of M is caed the anguage of M, denoted L(M). We say σ = e 0e 1... e n is a tace ove Σ if e i Σ fo evey 0 i n. We denote by Σ the set of a finite taces ove Σ. Let M be an LTS, and E E. We define M@E to be the esut of esticting the set of actions of M to E, i.e., epacing actions in E \ E with the unobsevabe action τ and educing E to E. Fo an LTS M with τ-abeed tansitions, we conside L(M) to be the set of taces of M with the occuences of τ emoved. This is a standad way fo hiding unobsevabe computations of LTSs [23]. Composition. The composition of two LTSs that un asynchonousy and communicate though synchonous message passing is fomaized as paae composition [29]. The paae composition opeato combines the behavious of two LTSs by synchonizing thei shaed actions and inteeaving thei non-shaed ones. Uness stated othewise, it is assumed that actions with identica names ae shaed, and the est ae non-shaed. DEFINITION 1 (PARALLEL COMPOSITION [29]). Let M 1 = (S 1, s 0, E 1, R 1) and M 2 = (S 2, t 0, E 2, R 2) be LTSs. The paae composition of M 1 and M 2, denoted M 1 M 2, is defined as an LTS (S 1 S 2, (s 0, t 0), E 1 E 2, R), whee R is the smaest eation satisfying the foowing: R = {((s, t), e, (s, t)) (s, e, s ) R 1 e E 2 } S {((s, t), e, (s, t )) (t, e, t ) R 2 e E 1 } S {((s, t), e, (s, t )) (s, e, s ) R 1 (t, e, t ) R 2 } Refinement. Refinement fomaizes the eation between two LTSs at diffeent eves of abstaction. Refinement is usuay defined as a vaiant of simuation. In this pape, we use the notion of weak simuation (aso known as obsevationa simuation) to check the existence of a efinement eation between two LTSs [29]. This notion can be used fo eating LTSs with diffeent sets of actions by epacing thei non-shaed actions with τ. Fo states s and s of an LTS M, we wite s = τ s to denote s( ) τ s. Fo e τ, we wite s = e s to denote s( = )( τ )( e = )s τ. DEFINITION 2 (SIMULATION [29]). Let M 1 and M 2 be LTSs, whee E 1 = E 2 = E. A eation S 1 S 2 is a weak simuation, o simuation fo shot, whee s t iff s S 1 e E {τ} s e s t e S 2 t = t s t We say M 2 simuates M 1, witten M 1 M 2, iff s 0 t 0 THEOREM 1. [29] Let M 1 and M 2 be LTSs whee M 1 M 2. Then, L(M 1) L(M 2). Based on the above theoem, simuation is a sufficient condition fo tace containment. Reca that L(M 1) and L(M 2) captue ony the obsevabe behavious of M 1 and M 2. Thus, Theoem 1 states that if M 1 M 2, then M 2 can geneate evey obsevabe tace of M 1, but not necessaiy taces with τ-steps. Mode Checking. We expess coectness popeties as finite negative taces ove the set of actions of a system. Negative taces chaacteize the behavious that a system must not exhibit (safety popeties). Fo exampe, the popety NS 1 descibed in Section 2 is a safety popety fo a teecom system with featues CB and RVM. To satisfy this popety, the system must not aow vm.voicemai; to occu afte cb.eject;, i.e., the tace cb.eject; vm.voicemai; is a negative tace. Let M = (S, s 0, E, R) be an LTS, and et σ = e 1e 2... e n be a tace ove E whee E E. We say that M satisfies a negative tace σ if whee Stut(σ) L(M@E ) = Stut(σ) = (E \ e 1) e 1(E \ e 2) e 2... (E \ e n) e n That is, the system that needs to excude NS 1 shoud not aow any tace in the anguage b aa b, whee a = cb.eject; and b = vm.voicemai;, eithe. This can be detemined by tansating σ to a safety LTS M σ and computing the paae composition of M and M σ (e.g., see [27]). Fomay, et σ be a tace ove E. A safety LTS M σ is a tupe (S, s σ, E, R) whee S = {s σ σ is a (possiby empty) suffix of σ} R = {(s σ, e, s σ ) σ = e.σ σ is a suffix of σ} {(s σ, e, s σ ) σ = e.σ e E e e σ is a suffix of σ} Fo exampe, the LTS in Figue 6 can be intepeted as the safety LTS fo the negative tace NS 1 in Section 2 by etting a =

5 cb.eject; and b = vm.voicemai;. Note that state s ɛ, which coesponds to the empty suffix ɛ, is without outgoing tansitions in evey safety LTS. Reachabiity of this state detemines whethe M can geneate σ. That is, Stut(σ) L(M@E ) = iff state s ɛ is not eachabe in M σ M. Thus, mode checking an LTS M against a negative tace σ can be done by composing M with M σ and checking eachabiity of s ɛ. 4. I/O AUTOMATA AND PIPELINES We descibe featues as I/O automata [26]. This fomaism is chosen because (1) I/O automata aow distinguishing between the input, intena, and output actions of featues this distinction between diffeent types of actions is cucia fo popey descibing the communications between featues [26]; and (2) I/O automata ae input-enabed by design. Input-enabedness makes it easie to detect and avoid deadocks [26, 38] and futhe, povides a way to teminate featues that ae stuck in eo oops and hence ae wasting esouces [38]. DEFINITION 3 (I/O AUTOMATA [26]). An I/O automaton is a tupe A = (S, s 0, E, R), whee S is a finite set of states; s 0 S is an initia state; E is a set of actions patitioned into input actions (E i ), output actions (E o ), and intena actions (E h ); and R S E S is a set of tansitions. Input actions ae those that a featue eceives fom its envionment. Intena actions epesent events scoped inside a featue and invisibe outside of it. Exampes of such events incude intena times and communication with media devices. Output actions epesent a featue s esponse to its input and intena actions. An I/O automaton can be viewed as an LTS if the distinction between input, output and intena actions is ignoed. Given an I/O automaton A = (S, s 0, E = E i E o E h, R), we wite LTS(A) to denote the LTS (S, s 0, E, R). Simia to LTSs, we wite A@E to denote A with its set of actions educed fom E to E, and wite L(A) to denote the set of taces of A. Figues 7(a) and show the I/O automata fo the state machines in Figues 2(a) and, espectivey. The abes of the input and output actions of these I/O automata have infixes (ight) and (eft); these indicate the diections in which these actions ae communicated (see Definition 4). We say a state s is enabed fo an action e if s has an outgoing tansition abeed e. A state s is quiescent if s is not enabed fo any output o intena actions. Intuitivey, an automaton in a quiescent state is sticty waiting fo an input fom its envionment. An I/O automaton A is input-enabed if the foowing conditions hod: 1. A etuns pompty to some quiescent state afte eaving one. We assume the execution time of tansitions abeed with output and intena actions to be negigibe. Thus, pompt etun to a quiescent state means that output and intena actions neve bock the execution, and futhe, no cyce of tansitions abeed with ony intena and output actions exists. 2. Quiescent states of A ae enabed fo a input actions. Fo exampe, states s 0, s 3, and s 5 in Figue 7(a) ae quiescent and ae enabed fo a input actions of CB, i.e., cb.. and cb... As shown in Figue 1, each featue has one pot on its eft and one on its ight side, and actions can be sent o eceived fom eithe of these two pots. To be abe to efe to the diection of communication in a pipeine, we augment I/O automata with action mappings which specify the pot fom which an action is sent o eceived. DEFINITION 4 (FEATURES). A featue F is a tupe (A F, f) whee A F is an I/O automaton, and f : E i E o {, } is a function that maps evey input and output action of F to eithe the ight,, o the eft,, pot of F. We wite F..e (o, espectivey, F..e ) to say that action e is mapped to pot (o, espectivey, ). Note that f does not map the intena actions of a featue because these actions ae invisibe outside the featue. In Figue 1, the smae boxes attached to the featues denote the pots. Actions ae visuaized as sma cices on the appopiate pots. Fo exampe, CB has an (output) action cb.. mapped to its ight pot, and RVM has an (input) action vm.. mapped to its eft pot. To fomay specify how two consecutive featues in a pipeine communicate, we define a notion of binding fo connecting the ight pot of one featue to the eft pot of anothe. DEFINITION 5 (PIPELINE BINDINGS). Let F 1 and F 2 be consecutive featues in a pipeine; et R = {e E 1 f 1(e) = }; and et L = {e E 2 f 2(e) = }. A (pipeine) binding B R L between F 1 and F 2 is a one-to-one coespondence eation between L and R that eates input actions ony to output actions, and output actions ony to input actions; i.e., (e 1, e 2 ) B = `(e1 E o 1 e 2 E i 2 ) (e 1 E i 1 e 2 E o 2 ) Fo a binding B, we say an action is shaed if it occus in some tupe of B, and non-shaed othewise. The inks between the featues in Figue 1 can be expessed as bindings. Fo exampe, the CB RVM ink in the figue is chaacteized by the foowing binding: B = {(cb.., vm..), (cb.., vm..)} which indicates that the output action cb.. (of CB) synchonizes with the input action vm.. (of RVM), and the input action cb.. (of CB) synchonizes with the output action vm.. (of RVM). In ou woking exampe, bindings ae meaningfu ony if they eate actions with identica signa names. Fo exampe, had we consideed an additiona upsteam-taveing signa, unknown in Figue 1, it woud have been incoect to, say, eate actions cb..unknown? and vm... Thus, in this pape we assume that featues use a unified set of signas and a bindings ae based on signa name equivaences. On the othe hand, we ecognize that thee may be domains whee this assumption does not hod: featues may efe to a shaed signa by diffeent names, o efe to non-shaed signas by the same name. Though making mappings between actions expicit, a such bindings can be captued by Definition 5 diecty. To obtain the ovea behaviou of a set of communicating featues, we compose them with espect to the bindings estabished between them. To this end, we define a paae composition of I/O automata, wheeby featues synchonize thei shaed actions and inteeave thei non-shaed ones. DEFINITION 6 (COMPOSITION OF PIPELINE FEATURES). Let F 1 and F 2 be consecutive featues in a pipeine inked by a binding B. The paae composition of F 1 and F 2 with espect to B, denoted F 1 BF 2, is a featue (A, f) whee A = (S 1 S 2, (s 0, t 0), E = E i E o E h, R) with E i, E o, E h, and R defined as foows:

6 s 8 (a) cb.. cb.. s cb.. 0 s cb.accept; 1 s cb.. 2 s 3 cb.. cb.. cb.eject; s 4 cb.. cb.. s 7 s 6 cb.. s 5 cb.. cb.. vm.. vm.. vm.. t 0 t 1 t 2 t 3 vm.es_avai; vm.. vm.. vm.es_unavai; vm.. vm.. t 8 t t t vm.. vm.voicemai; vm.. t 5 vm.. t 11 vm.. t vm.. 6 vm.. t 7 vm.. Figue 7: I/O automata fo the state machines in Figue 2. E i = (E1 i Ei 2 ) \ {e e is a shaed input action} E o = (E1 o Eo 2 ) \ {e e is a shaed output action} E h = (E1 h Eh 2 ) B R = {((s, t), e, (s, t)) (s, e, s ) R 1 e is a non-shaed action} S {((s, t), e, (s, t )) (t, e, t ) R 2 e is a non-shaed action} S {((s, t),(e, e ),(s, t )) (s, e, s ) R 1 (t, e, t ) R 2 (e, e ) B} f = (f 1 f 2) \ {e e is a shaed action} The above is the same as the standad definition of paae composition fo I/O automata [26], except that we use bindings to expicity specify the shaed actions pio to composition. Since bindings ae one-to-one, it easiy foows that the B opeato is associative. Thus, the goba composition of the featues in a pipeine can be fomuated as a seies of binay compositions. 5. FORMALIZING TRANSPARENCY Intuitivey, if a featue F impements the tanspaency patten (motivated in Section 2), then thee is some envionment that coeces F to exhibit its tanspaent behaviou. Fo exampe, CB (in Figue 2) exhibits its tanspaent execution, i.e., fom s 0 to s 2, when data fom the envionment indicates that the caee has not bocked the cae. Since pipeine featues act independenty [21, 36], each featue can be coeced into its tanspaent execution independenty of othe featues. In this section, we fomaize the above intuition and pove (in Theoem 2) that if a featues impement the tanspaency patten, the foowing hods: If a pipeine with two featues (F foowed by F ) vioates a safety popety ϕ, a pipeine with an abitay numbe of featues in which F < F vioates ϕ as we. We expoit this esut in Section 6 to povide a compositiona agoithm fo odeing featues in a pipeine. The fomaization of the tanspaency patten G is shown in Figue 8. It is expessed as an I/O automaton with geneic input actions G.. x? and G.. y?, and geneic output actions G.. y! and G.. x!. State S 0 is quiescent, and states S 1 and S 2 ae tansient. A featue impementing this patten can exhibit some execution aong which it fowads any signa it eceives fom its eft x? y! S1 G.. x? S 0 G.. y? G.. x! G.. y! S 2 Figue 8: G: Geneic tanspaency patten. P.. S 0 P.. S S 2 1 P.. P.. x! y? Figue 9: P : Adaptation of the geneic tanspaency patten to the pipeine in Figue 1. pot onto its ight pot, and vice vesa. On this execution, a featue can deay the tansmission of actions fo a finite amount of time to pefom its intena behavious, but is not aowed to add o omit any actions, o to change the ode of actions being tansmitted. If the envionmenta data is such that a featue has to povide its sevice in esponse, the featue chooses a non-tanspaent execution o simpy fufis its functionaity though intena actions on its tanspaent execution. The cyce between states S 0 and S 1 in Figue 8 (heeafte, the downsteam cyce) handes signas that tave downsteam, and the cyce between S 0 and S 2 (heeafte, the upsteam cyce) handes signas taveing upsteam. To adapt the geneic tanspaency patten to a specific pipeine pobem, we need a copy of the downsteam cyce fo evey signa taveing downsteam, and a copy of the upsteam cyce fo evey signa taveing upsteam. Fo exampe, Figue 9 shows the adaptation, P, of the patten to the pipeine in Figue 1. Since this pipeine has one downsteam taveing signa, setup, and one upsteam taveing signa, unavai, P has one copy of the downsteam and one copy of the upsteam cyce. Had we consideed futhe signas, we woud have had moe copies of the coesponding cyces in this adaptation.

7 We chaacteize the impementation eation between a featue and its adaptation by weak simuation (see Definition 2), which aows us to eate featues with diffeent sets of actions. Having such fexibiity is key: athough the featues in a pipeine shae the same input and output actions with the patten adaptation, each featue has its own set of intena actions. Fo exampe, conside featues CB and RVM in Figue 7. CB s intena actions ae cb.eject; and cb.accept;, wheeas RVM s ae vm.es unavai;, vm.es avai; and vm.voicemai;. Such intena actions ae not used in P in Figue 9. To estabish a simuation eation between a featue and its patten adaptation, we need to hide the featue s intena actions. Fo exampe, afte epacing actions cb.eject; and cb.accept; of CB and vm.voicemai; of RVM with τ, both CB and RVM simuate P. The simuation eation fo CB is {(s 0, S 0), (s 1, S 1), (s 2, S 1), (s 3, S 0), (s 6, S 2), (s 7, S 2), (s 8, S 1)}, and fo RVM is {(t 0, S 0), (t 1, S 1), (t 2, S 0), (t 3, S 2), (t 4, S 2), (t 5, S 0), (t 6, S 2), (t 7, S 1), (t 8, S 2), (t 9, S 1)}. Befoe giving the main esut of this section, Theoem 2, we state two emmas used in the poof of the theoem. Fo the emainde of this section, et P be the adaptation of the geneic tanspaency patten, G, fo a paticua pipeine. LEMMA 1. Let F be a featue, and et B 1 bind F. to P.. If F vioates a desied safety popety, so does F B1 P. Simiay, et B 2 bind P. to F.. If F vioates a desied safety popety, so does P B2 F. The poof of this emma foows fom the fact that the set of taces of an abitay pipeine featue F is peseved in the composition of F with P, i.e., P does not affect taces of the composition. The foowing emma states that if the featues in a pipeine impement the tanspaency patten, so does the entie pipeine. That is, the featues cannot pohibit one anothe fom exhibiting thei tanspaent behaviou. LEMMA 2. Let F 1,..., F n be consecutive featues in a pipeine, whee B i binds F i. to F i+1.. If evey F i (1 i n) impements (i.e., weak simuates) P, so does the composition F 1 B1 F 2 B2... Bn 1 F n. Poof. We fist eca two standad esuts on paae composition of state tansition systems (see [9]). (1) fo evey M 1, M 2 and M 3, if M 1 M 2 then M 3 M 1 M 3 M 2. (2) fo evey M, we have M M M The poof foows by induction on n. The base case, n = 1, is tivia. Let F = F 1 B1 F 2 B2... Bn 2 F n 1. P F 1... P F n (by the inductive hypothesis) P F P F n (by (1)) P Bn 1 F n F Bn 1 F n P Bn 1 P P Bn 1 F n (by tansitivity of ) P Bn 1 P F Bn 1 F n (by (2)) P F Bn 1 F n Note that the actions of the eft and ight pots of a featues F 1,..., F n ae the same as those of P. Thus, a bindings B 1,..., B n ae identica. Theefoe, fo any B i, the opeato Bi can be used to compose any pai of featues o any featue with P. (a) F F F 1 F F i F j F F n Figue 10: An iustation fo Theoem 2. Finay, we pesent the main theoem of this section: THEOREM 2. Let F, F, F 1,..., F n be pipeine featues, and et F, F and evey F i (1 i n) impement P. If the pipeine in Figue 10(a) does not satisfy a desied safety popety, neithe does the pipeine in Figue 10. Poof (sketch). Let X 1 be the pipeine segment fom F 1 to F i 1, X 2 be the segment fom F i to F j, and X 3 be the segment fom F j+1 to F n in Figue 10. Suppose X is the pipeine obtained by epacing each X 1, X 2 and X 3 in Figue 10 with P, i.e., X consists of F, F and thee instances of P. By Lemma 2, if X is not safe, neithe is the pipeine in Figue 10. By Lemma 1 and Theoem 1 in Section 3, if the pipeine in Figue 10(a) is not safe, neithe is X. In Section 6, we use Theoem 2 to popose an efficient pipeine odeing agoithm. Anothe appication of this theoem, which we do not conside in this pape, is fo pipeine veification. Specificay, it foows fom the contapositive of the theoem that if a given pipeine satisfies a safety popety, any subsequence of the pipeine satisfies that popety as we. 6. COMPOSITIONAL SYNTHESIS In this section, we descibe the agoithm fo computing odeing of featues in a pipeine, to ensue that they do not admit any of the undesiabe inteactions. The agoithm, ORDERPIPELINE, is shown in Figue 11. The main engine of this agoithm is the function FINDPAIRWISECONSTRAINTS, shown in Figue 12, which computes a set C of odeing constaints between featue pais. These constaints ae infeed by mode checking the two possibe compositions of each featue pai against the safety popeties defined ove that pai. Fo exampe, et F 1 = CB and F 2 = RVM, and et negt = NS 1 (see Section 2). With these inputs, FIND- PAIRWISECONSTRAINTS yieds CB < RVM because the popety NS 1 hods in the composition whee CB comes befoe RVM (ine 5 in Figue 12), but not in the othe composition (ine 7). The esuting constaint CB < RVM is added to C (ine 11) which is etuned on ine 16. By Theoem 2, a pipeine odeing that does not espect paiwise odeing constaints is unsafe, and thus inadmissibe. This povides us with an effective stategy fo puning the seach space fo soutions. Given a pai of featues, FINDPAIRWISECONSTRAINTS can infe an odeing ove the pai, if exacty one of thei two possibe compositions vioates the given popeties. Othewise, if neithe composition vioates the popeties, the featues in question can be put in any ode, and hence no constaint is deived (ine 15). If both compositions vioate the popeties, FINDPAIRWISECON- STRAINTS etuns eo (ine 9). In this case, the given featues need to be evised befoe they can be put togethe in a pipeine; hence, ORDERPIPELINE teminates unsuccessfuy (ine 3). If FINDPAIRWISECONSTRAINTS does not etun eo, ORDER- PIPELINE entes a epeat-unti oop (ines 4 8). Evey iteation of this oop stats by finding a pemutation of the n featues compising the pipeine that satisfies the set of constaints computed by FINDPAIRWISECONSTRAINTS. Such a pemutation, caed T, satisfies a set C of constaints if fo evey constaint F k < F in C, we

8 Agoithm. ORDERPIPELINE Input: - Featues F 1,..., F n with action sets E 1,..., E n, esp. - A set negt ( S 1 k n E k) of negative taces. Output: A pemutation, T, of 1 to n giving an ode on F 1,..., F n. 1: C := FINDPAIRWISECONSTRAINTS(F 1,..., F n, negt) 2: if (C = eo) : 3: etun eo 4: epeat 5: T:= Next pemutation of 1, 2,, n satisfying C 6: Let B i bind F T[i]. to F T[i+1]. fo 1 i < n // B i connects the featue at position i // to the one at position i + 1 7: safe := MODELCHECK(F T[1] B1... Bn 1 F T[n], negt) 8: unti safe 9: etun T Figue 11: Agoithm fo pipeine odeing. Agoithm. FINDPAIRWISECONSTRAINTS Input: Featues F 1,..., F n and negative tace negt. Output: A set C o paiwise odeing constaints. 1: C := 2: fo 1 k < n: // choose a pai F k, F // estict negt to F k and F 3: negt := negt (E k E ) 4: B 1 := Binding(F k., F.) // put F k befoe F 5: safe 1 := MODELCHECK(F k B1 F, negt ) 6: B 2 := Binding(F.,F k.) // put F k afte F 7: safe 2 := MODELCHECK(F k B2 F, negt ) 8: if ( safe 1 safe 2) : 9: etun eo 10: if (safe 1 safe 2) : 11: add F k < F to C 12: ese if ( safe 1 safe 2) : 13: add F < F k to C 14: ese : // i.e., safe 1 safe 2 15: do nothing // inconcusive esut; // no constaint on F k w..t. F 16: etun C Figue 12: Agoithm fo finding paiwise odeing constaints. (a) A A a. a. a. a. C B b. b. b. b.eo; B b. b.eo; Figue 13: Loca odeing vs. goba odeing. have T[k] < T[], i.e., featue F k is positioned to the eft of featue F in the pipeine. Fo exampe, et F 1 = CB, F 2 = QT, and F 3 = RVM. The pemutation T satisfying constaints { CB < RVM, RVM < QT} is [1, 3, 2]. Aftewads, a goba composition of the featues is buit with espect to the computed pemutation T. If this composition satisfies a the given popeties, T is etuned as a soution. Othewise, the oop continues unti a soution is found, o a pemutations that satisfy C ae exhausted. In the atte case, ORDERPIPELINE etuns eo. Notice that meey satisfying C does not make a given pemutation T a soution to the pipeine odeing pobem. Fo exampe, conside featues A and B in Figue 13(a) 3. The composition of A and B in the figue is safe fo the tace b.eo;, i.e., the eo action is uneachabe. Howeve, once featue C is inseted between A and B in Figue 13, the esuting pipeine is no onge safe fo this popety: Theoem 2 ony guaantees safety vioations to ift fom a paiwise to the goba setting. Howeve, safety popeties that ae satisfied ove a pai of featues ae not necessaiy ifted 4. Theefoe, we need to check a safety popeties ove the goba composition induced by a candidate odeing. Futhe, athough in pactice most safety popety taces ae expessed ove pais of featues, we can envision taces that efe to sevea and potentiay to a featues in the system. Checking such popeties equies the constuction of a goba composition. Ou pipeine odeing agoithm is sound because we constuct a goba composition and veify it against a the given popeties. The agoithm is compete because by Theoem 2, it neve punes an odeing that is a possibe soution to the pipeine odeing pobem. Finay, the agoithm is change-awae, aowing fo the euse of synthesis esuts acoss changes to pipeines. Specificay, afte adding o modifying a featue F, a we need to do is to (e)compute the paiwise constaints between F and the est of the featues in the pipeine. In othe wods, constaints not invoving F emain vaid and can be caied ove fom the pevious system. The scaabiity and effectiveness of ou appoach utimatey depend on how we we can naow down the seach fo potentiay admissibe pipeine pemutations, and whethe veifying compositions (ines 5 and 7 in Figue 12, and ine 7 in Figue 11) is feasibe. In Section 8, we appy ou appoach to an industia teecom exampe. Thee, we demonstate that substantia puning of the seach space can be achieved by utiizing the paiwise constaints infeed fom the known undesiabe inteactions in the domain. The featues used in ou evauation wee not vey age, and theefoe, we coud veify thei compositions in a conventiona way. But, fo age systems, we can impove the scaabiity of ORDERPIPELINE agoithm using existing automated compositiona techniques fo checking safety popeties (e.g., [10]). 7. IMPLEMENTATION We have deveoped a pototype impementation of the pipeine odeing agoithm descibed in Section 6. We discuss inputs to the agoithm as we as the eevant technica detais beow. Inputs. Ou agoithm in Section 6 eceives a set of featues expessed as I/O automata and a set of negative taces captuing undesiabe inteactions between these featues. In ode to use standad veification toos, in ou case, the LTS Anayze (LTSA) too [27], ou too tansates the input featues to LTSs and the negative taces to safety LTSs (see Section 3). Paae composition. Ou technique equies us to compute compositions of pipeine featues (ines 5 and 7 of FINDPAIRWISEC- 3 This exampe is simia to that given in Section 2, but the detais ae not identica. 4 The featues in Figue 13 can be competed to impement the tanspaency patten (the competions not shown hee due to space imitations) and yet exhibit the same pobem.

9 ONSTRAINTS in Figue 12 and ine 7 of ORDERPIPELINE in Figue 11), fo which we need to impement the paae composition opeato B (Definition 6) one is not eadiy avaiabe in LTSA. This is achieved as foows: fist, we do an action eabeing to ensue that shaed actions, with espect to a given binding B, have identica abes in the featues to be composed. We then appy LTSA s paae composition opeato (Definition 1) to compose the featues. Mode checking. Since we tansate negative taces to safety LTSs, mode checking (ines 5 and 7 of FINDPAIRWISECONSTRAINTS and ine 7 of ORDERPIPELINE) can be done diecty using LTSA. Note that ou technique invoves mode checking not ony paiwise but aso the goba composition (ine 7 of ORDERPIPELINE). Ou too cuenty uses LTSA diecty fo this atte check, which has not pesented a chaenge so fa because the numbe and the size of featues we have been woking with so fa have been eativey sma (see Section 8). Howeve, this check may become an issue when anayzing age systems, and in the futue we intend to use an enhanced vesion of LTSA [10] that enabes compositiona mode checking fo safety popeties. This appoach appies to ou wok diecty, since the negative taces we use ae safety popeties. Odeing pemutations. To geneate odeing pemutations that satisfy a given set of constaints (ine 5 of ORDERPIPELINE), we use a backtacking constaint sove, Choco [22]. A constaints used in ou appoach ae binay, and fo those, the state-of-the-at ook-ahead techniques fo soving CSP pobems ae vey efficient. 8. EVALUATION In this section, we povide initia evidence fo the usefuness of ou appoach though a case study fom the teecom domain. Ou study invoves six featues fom AT&T depoyed in the DFC achitectue [21]. When conducting the study, we had a numbe of goas. The fist goa was to check that the featues pesent in the case study simuate ou fomaization of the tanspaency patten in Figue 9 (G1). The othe two goas wee to investigate whethe ou technique can sufficienty naow down the seach fo a safe pipeine odeing, which incudes the abiity to identify enough negative scenaios of inteaction (G2), and to evauate the pefomance of ou technique on a eaistic exampe (G3). We begin this section with a desciption of the domain of ou study, and discuss the expeience with the above goas in Section Domain Desciption In DFC, a simpe teecom usage is impemented by a inea pipeine such as the one shown in Figue 1. The oigina DFC pipeine has sevea additiona signas, e.g., avai and unknown, which we omitted fom Figue 1 fo simpicity. The pipeine in the figue incudes six featues, namey, CB and RVM (see Section 2), as we as QT, SFM, AC, and NATO. A high-eve desciption of the fou new featues, taken fom [37], is as foows: Quiet Time (QT) enabes the subscibe to avoid an incoming ca by activating a diaog with the cae, saying that the subscibe wishes not to be distubed. If the cae indicates that the ca is ugent, this featue aows the ca to go though. Othewise, it signas faiue (unavai) upsteam. Sequentia Find Me (SFM) attempts to find the caee at a sequence of ocations. If the fist ocation does not succeed, then whie a the othe ocations ae being tied, the featue pays an Featue CB RVM QT SFM NATO AC # of states # of tansitions Tabe 1: Sizes of the esuting tansations. announcement, etting the cae know that the ca is sti active. Answe Confim (AC) uses a media esouce to eicit confimation that the ca has been answeed by a peson athe than by a machine. If the test is not passed, it signas unavai upsteam, even though the ca was actuay answeed. No Answe Time Out (NATO) signas faiue (unavai) upsteam if an incoming ca is not answeed afte a cetain amount of time. The DFC achitectue suppots dynamic achitectua econfiguation. This means that featues and bindings can be ceated, destoyed, o eassigned at untime. In fact, the pipeine in Figue 1 is a static snapshot of a dynamic stuctue. Fo exampe, in the figue, each new ocation tied by SFM esuts in a new setup signa sent downsteam, and ceation of new instances of AC and NATO. We do not conside such advanced capabiities hee. Specificay, we abstact away featue behavious invoving untime econfiguation. Hence, a pipeine odeing synthesized by ou technique is ove a static snapshot of a (potentiay) dynamic DFC pipeine. In this sense, the ea vaue of ou technique with espect to DFC is as an expoation too though which anaysts can conside diffeent snapshots of the same pipeine and ensue that the synthesized odeings fo these snapshots ae consistent with one anothe. The featues in ou case study ae specified in Boxtak [38] a domain-specific anguage fo specifying teecom featues. Each Boxtak specification is a state machine with a set of states and a set of tansitions which can be tiggeed by actions. Boxtak aso povides constucts fo manipuating data and media, but we do not conside these constucts in this wok. Boxtak is simia to I/O automata in that the modes descibed in it ae input-enabed; the anguage aso distinguishes between input, output, and intena actions of featues [38]. Hence, the conto behavious of Boxtak specifications can be convenienty captued using ou I/O automata-based fomaism (Definition 4). In this case study, a of the featues except NATO and CB have additiona pots though which they communicate with media esouces that ecod speech, pay announcements, detect touch-tones, etc. We have abstacted away fom these pots, epacing thei signas with intena actions such as vm.voicemai;. This abstaction is safe because the inteaction of each featue with its media esouce is independent and and ogicay contained within the featue, thus not affecting featue composition. 8.2 Expeience We manuay tansated the six Boxtak featues into I/O automata. The sizes of the tansated modes ae shown in Tabe 1, wheeas the oigina Boxtak specifications and the esuting I/O automata ae avaiabe in [30]. Ou anaysis indicates that a these featues impement ou fomaization of the tanspaency patten. We aeady exempified the simuation eation fo CB and RVM in Section 5. Fo the emaining featues, see [30]. The eaization of the tanspaency patten satisfies goa G1 and enabes the appication of ou pipeine odeing agoithm.

10 G2. The scenaios used in ou study ae shown in Tabe 2 (eft coumn). These scenaios came fom [37] and fom the expeience of the domain expet the ast autho of this pape. Note that these scenaios may not be aways known in advance. To eicit them, the domain expet may have to inspect o monito the modes and thei inteactions using automated anaysis toos. Tabe 2 (ight coumn) shows the constaints infeed by ou technique fo the individua scenaios. These constaints wee sufficient to concusivey ode a the featues in Figue 1 except fo the SFM featue. The oe of SFM is to tansfom a numbe that was diaed, i.e., a pesona numbe, into some device numbe: a home phone, a ce phone, etc. Scenaios invoving SFM cannot be expessed as sequences of actions because they efe to data, i.e., pesona and device numbes. In this wok, we do not mode data and instead ey on the domain expet to povide the constaints fo SFM. Specificay, CB, RVM, and QT shoud pecede SFM because they ae pesona featues, i.e., they appy to the pesona numbe. In contast, AC and NATO shoud foow SFM because they appy to each phone ty individuay, and thee wi be a diffeent instance of AC and NATO fo each ty. Using these additiona constaints, we wee abe to naow down the set of possibe goba odeings to a singe one. Whie we had no pobem in this domain whee the natue of inteactions between featue pais was we studied and we undestood, ou technique may be ess effective in othe domains. The degee to which it naows down the seach is infuenced by factos such as the size and the numbe of featues in the domain, the amount of domain expetise avaiabe, and the existence of foma design guideines fo featue deveopment, and a of these may vay widey. To extend the appicabiity of ou appoach to domains whee an adequate set of negative scenaios is had to obtain, the appoach can be combined with simuation and monitoing toos which assist uses in identifying additiona undesiabe scenaios. The idea is that anaysts often have cetain heuistics fo detecting suspicious behaviou, even though they may not have pinned down the exact undesiabe inteactions. Fo exampe, it might be dangeous fo cetain pais of featues to be active in the same usage scenaio. The abiity of a too to epot pais of featues that can be active simutaneousy may hep anaysts to identify additiona safety popeties and thus educe the numbe of featue odeings. Diffeent monitoing toos can be used in conjunction with ou appoach, but the one that eadiy integates with ou fomaism is LTSA s simuation modue. This modue can be used to monito the paae composition of a set of featues and epot taces eading to suspicious behavious. These taces can then be studied by anaysts as potentia candidates fo negative scenaios. Since ou appoach equies taces ony ove pais of featues to infe odeing constaints, uses can concentate on paiwise compositions, fo which taces ae typicay sma and intuitive enough fo manua inspection. G3. We measued the time and memoy pefomance of the diffeent steps in ou technique, appied to the featues in ou study. The epoted times ae fo a PC with a 2.2GHz Pentium Coe Duo CPU and 2GB of memoy; ou impementation used vesion 1.2 of Choco and vesion 2.3 of LTSA. FINDPAIRWISECONSTRAINTS: Executing ines 5 and 7 of this agoithm (Figue 12) invoves buiding paiwise compositions of LTSs and mode checking them. Since I/O automata can be seen as LTSs, the sizes of ou LTS tansations ae those shown in Tabe 1. The numbe of states of the paiwise compositions anged between 60 to 259, and the numbe of tansitions between 210 to 785. The Negative Scenaio QT cannot stop a cae fom eaving a voicemai message. A bocked cae shoud not be aowed to engage in a diaogue with the system (this is to avoid wasting expensive media esouces). If QT is enabed and the ca is not ugent, the system shoud not distub the caee with a confimation diaogue. The time inteva shoud neve incude the time that the system takes having a diaogue with a use (because that shoud not be incuded in the time aowance fo answeing). Constaint(s) RVM < QT CB < AC, CB < QT CB < RVM QT < AC AC < NATO, QT < NATO Tabe 2: Negative scenaios and the esuting constaints. unning times fo geneating the compositions wee negigibe, i.e., unde 1s. To mode check the compositions, we expessed safety popeties as (safety) LTSs, which, fo the popeties in Tabe 2, anged between 3 to 5 states, and 5 to 8 tansitions. Fo exampe, Figue 6 can be intepeted as a safety LTS fo the popety NS 1 descibed in Section 2 by etting a = cb.eject; and b = vm.voicemai. The unning times of individua mode checking tasks wee negigibe. Fo the six featues in the study and the popeties in Tabe 2, the tota execution time of FINDPAIRWISECONSTRAINTS was 6.47s and the maximum equied memoy was 10M. The esut of unning the agoithm is the set of odeing constaints in the second coumn of Tabe 2. ORDERPIPELINE: Line 5 of this agoithm (Figue 11) invokes a constaint sove Choco to compute a pemutation satisfying the paiwise odeing constaints. The unning time and memoy usage of this step wee negigibe due to the natue of ou CSP pobem (see Section 7), and esuted in a singe pemutation that satisfied a of the paiwise constaints in Tabe 2. Line 7 of the ORDERPIPELINE agoithm equies computing a goba composition of the featues. Since thee is ony one pemutation satisfying the constaints in Tabe 2, ony one goba composition needed to be buit and veified. The numbe of states and tansitions in this goba composition ae and , espectivey 5. The time and memoy needed fo geneating this composition ae 71.4s and 913M, espectivey. The tota mode checking time, i.e., the sum of mode checking times fo individua popeties in Tabe 2, was 16min, and the maximum memoy equiement was 1G. Ovea, we wee abe to compute a safe featue odeing in about a quate of an hou. The ode that we computed is the same as the one that was poduced by the domain expet via manua anaysis of the featue pais. As we discussed in Section 2, this may not be the case when the featues do not satisfy the tanspaency patten. The most expensive pat of ou agoithm is mode checking of a goba composition, which took about 16min. This cost is incued no matte what appoach one takes fo odeing a set of featues. Even if we wee to seect a featue odeing andomy, we woud sti have to buid the goba composition and veify it. Since the size of goba compositions gows quicky, compositiona techniques fo deaing with space exposion ae needed. Whie we managed to buid goba compositions using LTSA in ou case study without esoting to compositiona anaysis toos, efficient toos fo checking goba compositions aeady exist and can be eadiy incopoated into ou appoach as discussed in Section 7. 5 We have obseved that goba compositions fo othe pemutations ae of oughy the same size.