A General Framework for Architecture Composability

Size: px

Start display at page:

Download "A General Framework for Architecture Composability"

Bertha Lang
6 years ago
Views:

1 A General Framework for Architecture Composability SEFM, 3 rd of September, 2014 Paul Attie, Eduard Baranov, Simon Bliudze, Mohamad Jaber and Joseph Sifakis

Reusable design patterns Systems are not built from scratch Maximal re-use of building blocks (off-the-shelf components) Maximal re-use of solutions

2 Reusable design patterns Systems are not built from scratch Maximal re-use of building blocks (off-the-shelf components) Maximal re-use of solutions (libraries, design patterns, etc.) Express coordination constraints in declarative manner SEFM, Grenoble, 3 rd of September, / 23

3 Applications Concurrency: (a)synchronous, time-triggered, token-ring, mutual exclusion Interface adaptation: communication protocols, data access control Robustness: fault detection & recovery, resource management etc. SEFM, Grenoble, 3 rd of September, / 23

4 Theory of architectures How to model? How to specify? How to combine? How to implement efficiently? Architectures enforce characteristic properties. The crucial question is whether these are preserved by composition? SEFM, Grenoble, 3 rd of September, / 23

5 Example in BIP sleep sleep work work SEFM, Grenoble, 3 rd of September, / 23

6 Example in BIP sleep free sleep work taken work SEFM, Grenoble, 3 rd of September, / 23

7 Example in BIP sleep free sleep work taken work SEFM, Grenoble, 3 rd of September, / 23

8 Example in BIP free taken SEFM, Grenoble, 3 rd of September, / 23

9 Example in BIP free taken 12 = {;,,,, } SEFM, Grenoble, 3 rd of September, / 23

10 Architectures in BIP A =(C,P A, ) free taken SEFM, Grenoble, 3 rd of September, / 23

11 Architectures in BIP A =(C,P A, ) Set of coordinating behaviours free taken SEFM, Grenoble, 3 rd of September, / 23

12 Architectures in BIP A =(C,P A, ) Set of coordinating behaviours Interface (ports) free taken SEFM, Grenoble, 3 rd of September, / 23

13 Architectures in BIP A =(C,P A, ) Set of coordinating behaviours Interface (ports) Interaction model free taken SEFM, Grenoble, 3 rd of September, / 23

14 Architectures in BIP A =(C,P A, ) Set of coordinating behaviours Interface (ports) Interaction model The interface includes all ports of the coordinator components [ P C P A C2C free taken SEFM, Grenoble, 3 rd of September, / 23

15 Constraints intuition SEFM, Grenoble, 3 rd of September, / 23

16 Constraints intuition Bad 1 SEFM, Grenoble, 3 rd of September, / 23

17 Constraints intuition Bad 1 SEFM, Grenoble, 3 rd of September, / 23

18 Constraints intuition Bad 1 Bad 2 SEFM, Grenoble, 3 rd of September, / 23

19 Constraints intuition Bad 1 Bad 2 SEFM, Grenoble, 3 rd of September, / 23

20 Constraints intuition Bad 1 Good Bad 2 SEFM, Grenoble, 3 rd of September, / 23

21 Limits of white magic SEFM, Grenoble, 3 rd of September, / 23

22 Limits of white magic Bad 1 SEFM, Grenoble, 3 rd of September, / 23

23 Limits of white magic Bad 1 SEFM, Grenoble, 3 rd of September, / 23

24 Limits of white magic Bad 1 Bad 2 SEFM, Grenoble, 3 rd of September, / 23

25 Limits of white magic Bad 1 Bad 2 SEFM, Grenoble, 3 rd of September, / 23

26 Limits of white magic Bad 1 Bad 2 SEFM, Grenoble, 3 rd of September, / 23

27 Main idea Characteristic predicate for! (' : B P! B 2 P ' = _ a2 ^ p2a p ^ ^ p62a 1 pa! B SEFM, Grenoble, 3 rd of September, / 23

28 take. From this perspective, architecture composition can be un al state space of the system [3, 5]. More omponent coordination is realised by limiting allowed perspective, architecture composition canconstraints. be the understood as the notion conjunction of their respective This synchroniintuitive ised by limiting the allowed synchroniibilities, thus imposing constraints on the transitions components can heir respective constraints. This intuitive notion is formalised by the two definitions below. ints on the transitions components can Main idea this perspective, architecture composition can be understood as the ns below. composition candefinition be understood as the 5 (Characteristic predicates). Let 2P be n their respective constraints. This intuitive notion is formalised by s. of This intuitive notion is formalised by model over a set of ports P. Its Pcharacteristic predicate (' : B Characteristic 2 be an interaction Characteristic predicate Let for finitions below. predicates). P is defined by putting 0 1 of ports P. Its characteristic predicate (' : B! B) 2 B[P ]! P P ates). Let 2 be an interaction _ ^be an^interaction n 5 (Characteristic predicates). Let 2 ting 0 A. P P^ p ' = p ristic predicate (' : B! B) 2 B[P ] a set of ports P_. Its characteristic predicate (' : B! B) 2 B[P ] ^ ^ a2 p2a p62a by putting 1 ' 0 A p. 1 p^ ^ For any valuation v : P! B, ' (v) = tt if and only if {p 2 P v _ ^ ^ a2 p2a p6 2 a pa. p ^ Interaction back predicate B[Ppredicates ]puniquely interaction model ', suc padefines.and an ' models = ' 2@to ^ n v p6:2pa! B, ' (v) =a2 tt if p2a and only if {p 2 P v(p) = tt} 2. A p62a Definition 6 (Architecture composition). only if {p 2 P v(p) tt} 2. A model ' Pf and ] uniquely defines an = interaction, such that ' 'Let =A '.j = (Bj, 1,'B, 2,B, be' two architectures. The ifcomposition of A and2a2. isa an a uation vmodel :P (v) ='tt'=if and only {p 2 P v(p) =1 tt} '(v) P!! teraction such that =tt '. () A2composition). = (B1 [ B where =such ^that 'for. Architecture Let A),jmodel = (Bj'',,P, 1j ), 2, P 1[P 2, ' 2 B[P ] uniquely defines an interaction = '. 2 'j ' = j' tion). Let Aj = (Bj, Pj, j ), for j = tectures. The composition of A and A is an architecture A 1 2 1model of th The following lemma states that the interaction n of A and A is an architecture A n 6 (Architecture composition). Let Aj = (Bj, Pj, j ), for j = P1 [ P ' consists = ' 1 ^precisely ' 2. of the interactions, such that both the 2,. ' ), where haviour ^ ' 1 2 architectures. The composition of A1 and A2 is an architecture A1 the interfaces of the composed architectures belong to the corr [ginteraction Blemma Pmodel 'interaction = ' be^ ' model. that of the composed be2, P1 [ states 2, ' ), of where thethe composed 1 2 action models. In other words, these are precisely the interact ons, such that their projections on that both their projections on precisely of both the interactions, such the coordination constraints imposed bythe both composedbearchite lowing lemma states that the interaction model of composed ures to the architectures corresponding SEFM, Grenoble, 3 of September, 2014 thebelong composed belong to the corresponding inter- 9 / 23 rd

29 take. From this perspective, architecture composition can be un al state space of the system [3, 5]. More omponent coordination is realised by limiting allowed perspective, architecture composition canconstraints. be the understood as the notion conjunction of their respective This synchroniintuitive ised by limiting the allowed synchroniibilities, thus imposing constraints on the transitions components can heir respective constraints. This intuitive notion is formalised by the two definitions below. ints on the transitions components can Main idea this perspective, architecture composition can be understood as the ns below. composition candefinition be understood as the 5 (Characteristic predicates). Let 2P be n their respective constraints. This intuitive notion is formalised by s. of This intuitive notion is formalised by model over a set of ports P. Its Pcharacteristic predicate (' : B Characteristic 2 be an interaction Characteristic predicate Let for finitions below. predicates). P is defined by putting 0 1 of ports P. Its characteristic predicate (' : B! B) 2 B[P ]! P P ates). Let 2 be an interaction _ ^be an^interaction n 5 (Characteristic predicates). Let 2 ting 0 A. P P^ p ' = p ristic predicate (' : B! B) 2 B[P ] a set of ports P_. Its characteristic predicate (' : B! B) 2 B[P ] ^ ^ a2 p2a p62a by putting 1 ' 0 A p. 1 p^ ^ For any valuation v : P! B, ' (v) = tt if and only if {p 2 P v _ ^ ^ a2 p2a p6 2 a pa. p ^ Interaction back predicate B[Ppredicates ]puniquely interaction model ', suc padefines.and an ' models = ' 2@to ^ n v p6:2pa! B, ' (v) =a2 tt if p2a and only if {p 2 P v(p) = tt} 2. A p62a Definition 6 (Architecture composition). only if {p 2 P v(p) tt} 2. A model ' Pf and ] uniquely defines an = interaction, such that ' 'Let =A '.j = (Bj, 1,'B, 2,B, be' two architectures. The ifcomposition of A and2a2. isa an a uation vmodel :P (v) ='tt'=if and only {p 2 P v(p) =1 tt} '(v) P!! teraction such that =tt '. () A2composition). = (B1 [ B where =such ^that 'for. Architecture Let A),jmodel = (Bj'',,P, 1j ), 2, P 1[P 2, ' 2 B[P ] uniquely defines an interaction = '. 2 'j ' = j' tion). Let Aj = (Bj, Pj, j ), for j = tectures. The composition of A and A is an architecture A 1 2 1model of th The following lemma states that the interaction n of A and A is an architecture A n 6 (Architecture composition). Let Aj = (Bj, Pj, j ), for j = P1 [ P ' consists = ' 1 ^precisely ' 2. of the interactions, such that both the def 2,. ' ), where haviour ^ ' 1 2 A architectures. The composition A2 = (C1 [ C2, of P1A[1 Pand = ' 1 ^ ' A2 1 2 is an'architecture 1 2, A ') the interfaces of the composed architectures belong to the corr [ginteraction Blemma Pmodel 'interaction = ' be^ ' model. that of the composed be2, P1 [ states 2, ' ), of where thethe composed 1 2 action models. In other words, these are precisely the interact ons, such that their projections on that both their projections on precisely of both the interactions, such the coordination constraints imposed bythe both composedbearchite lowing lemma states that the interaction model of composed ures to the architectures corresponding SEFM, Grenoble, 3 of September, 2014 thebelong composed belong to the corresponding inter- 9 / 23 rd

30 Example continued sleep work sleep b 3 f 3 sleep f 3 b 3 work work SEFM, Grenoble, 3 rd of September, / 23

31 Example continued free taken sleep sleep b 3 f 3 sleep f 3 b 3 work work work SEFM, Grenoble, 3 rd of September, / 23

32 Example continued ' 12 ( ) ) ^ ( ) ) ^ ( ) ) ^ ( ) ) ^ ( ) XOR ) ^ ( ) XOR ) ^ ( ) ). sleep sleep b 3 f 3 sleep free f 3 b 3 work work work taken SEFM, Grenoble, 3 rd of September, / 23

33 Example continued ' 12 ( ) ) ^ ( ) ) ^ ( ) ) ^ ( ) ) ^ ^ ^ ( ) XOR ) ^ ( ) XOR ) ^ ( ) ). ) ^ 3, ) ^ 3, ) XOR, ) XOR, ), ) ^ 3, ) ^ 3, 3 ) XOR b 3, 3 ) XOR f 3, 3 ) 3, b 3 ) 3 ^ 3, f 3 ) 3 ^ 3, 3 ) XOR b 3, 3 ) XOR f 3, 3 ) 3. sleep sleep b 3 f 3 sleep free f 3 b 3 work work work taken SEFM, Grenoble, 3 rd of September, / 23

34 Example continued ' 12 ( ) ) ^ ( ) ) ^ ( ) ) ^ ( ) ) ^ ^ ^ ( ) XOR ) ^ ( ) XOR ) ^ ( ) ). ) ^ 3, ) ^ 3, ) XOR, ) XOR, ), ) ^ 3, ) ^ 3, 3 ) XOR b 3, 3 ) XOR f 3, 3 ) 3, b 3 ) 3 ^ 3, f 3 ) 3 ^ 3, 3 ) XOR b 3, 3 ) XOR f 3, 3 ) 3. {;, 3, 3, 3, 3, b 3 3 3, f } sleep sleep b 3 f 3 sleep free f 3 b 3 work work work taken SEFM, Grenoble, 3 rd of September, / 23

35 Example continued free 3 3 taken 3 3 f 3 b 3 free 3 3 free 3 3 taken taken {;, 3, 3, 3, 3, b 3 3 3, f } SEFM, Grenoble, 3 rd of September, / 23

36 Architectures as operators Applying an architecture to a set of behaviours!! A =(C,P A, ) P A P def = [ P B! A(B) def = k 2 P \P A (B [ C) B2B[C SEFM, Grenoble, 3 rd of September, / 23

37 Architectures as operators Applying an architecture to a set of behaviours!! A =(C,P A, ) P A P def = [ P B! A(B) def = k 2 P \P A (B [ C) B2B[C SEFM, Grenoble, 3 rd of September, / 23

38 Architectures as operators Applying an architecture to a set of behaviours!! A =(C,P A, ) P A P def = [ P B! A(B) def = k 2 P \P A (B [ C) B2B[C Partial application is a new architecture B 0 def = A[B] def = B 0,P [ P A, k 2 P \P A P k 2 P \P A (B [ C) P = {a \ P a 2 } SEFM, Grenoble, 3 rd of September, / 23

39 Nice properties Under suitable conditions Architectures can be composed before applying! A 2 (A 1 (B)) = (A 1 A 2 )(B) Architecture application can be restricted!! A 2 (A 1 (B 1, B 2 )) = A 2 (A 1 (B 1 ), B 2 ) Architecture can be applied partially A(B 1, B 2 )=A[B 1 ](B 2 ) SEFM, Grenoble, 3 rd of September, / 23

40 Enforcing properties Consider behaviour B =(Q, q 0,P,!) Q A property: initial: q 0 2 An invariant: 8q 2, 8a 2 2 P, (q a! q 0 ) q 0 2 ) SEFM, Grenoble, 3 rd of September, / 23

41 Enforcing properties Consider behaviour B =(Q, q 0,P,!) Q A property: initial: q 0 2 An invariant: 8q 2, 8a 2 2 P, (q a! q 0 ) q 0 2 ) A An architecture imposes a property on B if is an initial invariant of the projection of the reachable states of A(B) onto B A(B) = SEFM, Grenoble, 3 rd of September, / 23

42 Main results: Safety A 1 (B) = 1 A 2 (B) = 2 ) =) A 1 A 2 (B) = 1 \ 2 SEFM, Grenoble, 3 rd of September, / 23

43 Liveness: Computation An infinite computation is live iff each coordinator is executed sufficiently often A set of idle states Q idle Q Each coordinator not in an idle state must eventually be executed Intuition: idle states do not have pending eventuality Example (mutex): Q idle = {free} free SEFM, Grenoble, 3 rd of September, / 23 taken

44 Liveness: Architecture An architecture is live w.r.t. a set of components iff every computation can be extended to an infinite live one Abadi and Lamport s machine closure SEFM, Grenoble, 3 rd of September, / 23

45 Non-interference An architecture can interfere with the liveness of another Examples: A 1 A 2 repeatedly preempts components that needs to interact with Two architectures conspire against a third one SEFM, Grenoble, 3 rd of September, / 23

46 Non-interference An architecture can interfere with the liveness of another Examples: A 1 repeatedly preempts components that needs to interact with A 2 Two architectures conspire against a third one A 1 is non-interfering with A 2 w.r.t. B iff, for every infinite computation of (A 1 A 2 )(B) C 1 C 2 executes infinitely often => executes sufficiently often SEFM, Grenoble, 3 rd of September, / 23

47 Main results: Liveness ) A live pairwise non-interfering =) M A live {z } w.r.t. B SEFM, Grenoble, 3 rd of September, / 23

48 Conclusions Architectures solve coordination problems by enforcing characteristic properties. First step toward the study of a rigorous concept of architecture and its effective use for achieving correctness by construction in a system design flow. Commutative & associative composition operator Safety properties are preserved Deadlock freedom and liveness can be efficiently checked Bensalem et al. D-Finder 2: Towards efficient correctness of incremental design [NASA Formal Methods 2011] Attie et al. An abstract framework for deadlock prevention in BIP [FMOODS/FORTE 2013] Pair-wise criterion for liveness [This paper] SEFM, Grenoble, 3 rd of September, / 23

49 Future work Study, classification and modelling of architectures in various domains (Embedded systems, web services, enterprise integration, etc.) Improved versatility of the model Specification language for architectures and properties SEFM, Grenoble, 3 rd of September, / 23

50 Thank you for your attention

51 Elevator case-study Elevator cabin = Engine + Doors + Calling System A1: basic functionality + the elevator does not move with open doors A2: make sure doors are opened at each stop A3: full => calls only from the cabin A4: executive floor SEFM, Grenoble, 3 rd of September, / 23

52 Elevator components s 0 s 0 up dn s 2 o c up up o dn dn s 1 s 1 s 2 c Engine is ic fs fc is ic fc Door Caller ic fs system SEFM, Grenoble, 3 rd of September, / 23

53 Elevator coordinators m 1 s c 1 c 1 m 1 o 1 m 2 d 2 o 1 m 1 s 1 e 2 m 2 d 2 e 2 nf3 add 3 nf 3 sub 3 add 3 add 3 fr 4 req 4 fr 4 req 4 fn 4 sub 3 sub 3 nf 3 fn 4 SEFM, Grenoble, 3 rd of September, / 23

A general framework for architecture composability

DOI 0.007/s0065-05-0349-8 The Author(s) 205. This article is published with open access at Springerlink.com Formal Aspects of Computing Formal Aspects of Computing A general framework for architecture