1 Software Architectures © David Garlan Talk Outline Part 1: Overview of Software Architecture ...

1Software Architectures

© David Garlan

Talk Outline

Part 1: Overview of Software Architecture What is software architecture? What are essential architectural concepts?

Part 2: Modeling and Analysis Formal representations of architecture Formal analysis and model checking of

architectures UML

Part 3: Selected Frontiers Ubiquitous Computing Mobility and Task-based Systems Two-tiered methods (MDA) Others


© David Garlan

Kinds of Analyses

ConsistencyDo the parts fit together?

CompletenessAre parts missing?

RefinementCan one architecture be substituted for another?

Verification and Architectural ConformanceDoes an implementation conform to the architecture?

System-wide behavior, performance, reliability, etc.What is the aggregate behavior of a system, given the behaviors

of the parts?

Evaluating design choices and trade-offsHow do we decide what architectural decisions to make?


© David Garlan

Analyzing Architectural Behavior

Much of the architectural research effort has been devoted to modeling and analysis of architectural behavior Defines abstract events at the architectural level Usually identifies protocols of interaction for

connectors Based on various modeling formalisms

Process algebras Chemical Abstract Machine Statecharts Pre/post conditions Category theory (ComUnity) … and many others

WRIGHT Configurations

c

cs

s

Configuration SimpleClientServer

Component ServerPort provide: <provide protocol>Computation: <Server behavior>

Component ClientPort request: <request protocol>Computation: <Client behavior>

Connector C-S-connectorRole client: <request protocol>Role server: <server protocol>Glue <glue protocol>

Instancess: Serverc: Client cs: C-S-connector

Attachmentss.provide as cs.server

c.request as cs.clientend SimpleClientServer

Component types

Connector

types

Instances

Attachments

WRIGHT StylesStyle ClientServerStyle

Connector C-S-connector (n: 1..)

Role client1..n: <request protocol>Role server: <server protocol>Glue <glue protocol>

Constraints <constraints>end ClientServerStyle

System SimpleClientServerStyle ClientServerStyleComponent Server ...Component Client ...Instances …

cs: C-S-connector(1)Attachments ...

end SimpleClientServer

Style inclusion

Parameterized connectors

Connector instantiation


© David Garlan

Specifying Behavior (Protocols)

Events: request, newValue?y

Processes: P, WorldModel, Client, §

Sequence: e P, P;Q

Choice: P Q, P [] Q

Quantification: [] x: S P(x)

Notation (based on CSP):


© David Garlan

A Client-Server Connector

Connector ClientServer

Role Client = open Operate §

where Operate = request result?x Operate

close §

Role Server = open Operate §

where Operate = request result!x Operate

close §

Glue = Client.open Server.open Glue

[] Client.close Server.close Glue

[] Client.request Server.request Glue

[] Server.result?x Client.result!x Glue

[] §


© David Garlan

A Pipe Connector

Connector Pipe Role Writer = (write!x Writer) (close §)Role Reader = Read Exit

where Read = (read?x Reader) [] (eof Exit)Exit = close §

Glue = Writer.write?x Glue []Reader.read!y Glue []Writer.close ReadOnly []Reader.close WriteOnly

where ...


© David Garlan

A Pipe Connector (continued)

where

WriteOnly =

Writer.write?x WriteOnly [] Writer.close §

andReadOnly =

Reader.read!y ReadOnly

[] Reader.eof Reader.close §[] Reader.close §


© David Garlan

Components

Component ReadOneFilter =Port ReadOne = (read close §) (close §)

Port WriteOne = write close §

Computation = …

Component DataFile

Port File = Action [] Exit

where Action = (read File [] write File)

and Exit = close §

Computation = …


© David Garlan

Analyzing WRIGHT Specifications

Consistency Connector is deadlock-free

roles do not conflict with each other or the glue Component interface matches its computation

ports are projections of the component behavior Compatibility

Port-role compatibility port satisfies requirements of role

Instance-style compatibility configuration obeys style constraints

Completeness Unattached port check

does a port require a connection

Most of these properties can be checked automatically using model checking


© David Garlan

Consistency Checking

Connector SharedData

Role User1 = (set User1) (get User1) §

Role User2 = (set User2) (get User2) §

Glue = User1.set Continue [] User2.set Continue [] §

where Continue =

User1.set Continue [] User2.set Continue []

User1.get Continue [] User2.get Continue

[] §

Deadlock occurs when both users choose to “get” initially.


© David Garlan

Compatibility Checking

When can a port be legally attached to as a role?Yes:

Port P = (push P) §Role R = (push R) (pop R) §

No:

Port P = (push P) §Role R = init R'

where R' = (push R') (pop R') §

So are the ports of the previous filters

compatible with the Pipe roles? (ans: yes)


© David Garlan

Automating WRIGHT Analyses

Most of the checks can be automated for finite models

We use FDR from Formal Systems, Ltd. commercial model checker for CSP used extensively by Inmos

Our tools translate Wright into FDR syntax and then invoke predefined tests flattens structure; expands names calculates alphabets adds explicit types for channels

Can also investigate other properties directly through FDR e.g., satisfaction of some particular trace


© David Garlan

How FDR Works

FDR checks whether one process refines another refinement means “is substitutable for”

if P = (e P f P) and Q = e Q then Q refines Pif P = (e P f P) and Q = e Q then Q doesn’t refine P

several flavors: trace, failures, failure/divergences To check some property of process P

find a process Q that embodies just that property hide irrelevant parts of P, and rename, to give P’ check that the P’ refines Q

Example: check deadlock freedom of process P with respect to events in set SQ = e QP’ = P \ diff(alpha_P, S) [[ e x | x S ]]


© David Garlan

Example: Distributed Simulation

Distributed simulation simulation is a multi-billion $ industry critical problem for DoD (and others) is multi-vendor

interoperability envision ~1000 cooperating simulations

The "High-Level Architecture” (HLA) Defense Modeling and Simulation Office (DMSO) standard -- about 250 pages http://www.dmso.mil/docslib/hla each page defines 1 API call 3-year effort high visibility

Sim1 Sim2 Sim3


© David Garlan

The HLA Architecture

Federate Federate ...

FedInterface

Runtime Interface(RTI)


© David Garlan

WRIGHT View: an RTI Connector

Runtime Interface(RTI)FedInterface

(Role)

Glue


© David Garlan

The Wright Specification

Style HLA

Connector RTI(nsim:1..)

Role Fed1..nsim = FedInterface

Glue = RTIBehavior

Constraints

r:Connectors | {r} = ConnectorsType(r) = RTI

end HLA


© David Garlan

FedInterface

FedInterface = FedMgmt || DeclMgmt || ObjMgmt || OwnMgmt

|| TimeMgmt || FedJoined || ControlPausewhere

FedMgmt = … DeclMgmt = ……

General structure follows this patternDeclMgmt =

InitiateDeclActivity

[] WaitForDeclActivity [] resignFedExecution §


© David Garlan

RTIBehavior

RTIBehavior = MiniProtocols || JoinedFeds{} || HandleMembership

where

MiniProtocols =

PauseProtocol || SaveProtocol || SubscribeProtocol || OwnershipProtocol || ObjectProtocol || OtherBehavior

Example:PauseProtocol =

([] i:1..nsim Fedi.requestPause

memberFeds?S pausedFeds?T

(; j:(S \ T) Fedj.schedulePause §) ; PauseProtocol

[] ([] i:1..nsim Fedi.requestResume …[] §


© David Garlan

FedRunning = requestPause FedRunning schedulePause pauseAchieved FedPaused

HandlePauseS = i: S [] Fedi.requestPause

( i: S ; Fedi.schedulePause §) ; HandlePauseS

FedPaused = requestResume FedPaused scheduleResume resumeAchieved FedRunning

Consistency Check 2: Paused on Join

JoinFed = joinFedExecution FedRunning

Role

___________

Glue


© David Garlan

Pause on Join

Federate Federate

RTI

(1) joinFedExecution(2) requestPause(3) schedulePause(4) pauseAchieved

(5) joinFedExecution(6) requestPause


© David Garlan

Oops!

Federate Federate

RTI

(1) joinFedExecution(2) requestPause(3) schedulePause(4) pauseAchieved

(7) schedulePause

(5) joinFedExecution(6) requestPause


© David Garlan

Results

Modeled 5/6 of HLA behavior in Wright about 20 pages initially part of Robert Allen’s Ph.D. thesis identified about 12 problems later full-time staff member took over major work

Identified over 80 issues clarified design especially in areas of

synchronization and time stamping ended up authoring parts of published standard also used Z and StateCharts to model some

aspects of the architecture some of our formal model included in current

documentation


© David Garlan

Classification of Findings

Ambiguity/imprecise wording 28

critical reading, Wright, other Inadequate pre-/post-conditions 12

critical reading Missing information 20

critical reading, Wright, FDR Race conditions 5

FDR, Wright Errors (invariant violation, unexpected conseqs) 11

critical reading, Wright, other Misc (typos, impl warnings, docn inconsistencies) 11

critical reading ,Wright, FDR 87 issues


© David Garlan

Other Examples

Java Phone Enterprise Java Beans

See papers on www.cs.cmu/edu/~able


© David Garlan

What about UML?

Unified Modeling Language (UML) emerging standard for object-oriented modeling collection of many different notations, mostly

graphicalobject diagrams, class diagrams, sequence diagrams,

… very hot area in the oo community

Code

Software Architecture

Requirements

UML???


© David Garlan

Arch Description and UML

Requirements

Code

ADLs UML


© David Garlan

Strategies to EncodeArchitectural Designs in UML

How do you model an architectural component type and architectural component instance? 1. classes and instances2. stereotypes and classes3. classes and classes4. UML components5. packages (subsystems)

… and for each of these strategies there are many sub-alternatives for connectors, interfaces, styles, representations, etc.


© David Garlan

UML Limitations

All of these solutions suffer from one or more of the following problems

1. Incompleteness no home for essential information (associated

with previous list of first-class entities)2. Illegibility

can find first-class home for architectural info, but the result is a visual (and conceptual) mess

3. Semantic mismatch may look visually clean, but underlying

intuitions are at odds4. Unanalyzability

even when you can represent it, and it looks nice, there is nothing you can do with it (except use it as documentation)


© David Garlan

Specific Problem Areas

Multiple interfaces of the same type Note Java or Com interfaces won’t work

Scoped substructure Note collaboration diagrams won’t work

First-class connectors Note associations aren’t sufficient, since can’t

represent substructure, or define independently of context

Styles Profiles are too heavy-handed; packages provide

aggregation, but can’t support restrictions


© David Garlan

Talk Outline

Part 1: Overview of Software Architecture What is software architecture? What are essential architectural concepts?

Part 2: Modeling and Analysis Formal representations of architecture Formal analysis and model checking of

architectures UML

Part 3: Selected Frontiers Ubiquitous Computing Mobility and Task-based Systems Two-tiered methods (MDA) Others


© David Garlan

Frontier 1: Ubiquitous Computing

Computers and information potentially everywhere Thousands of computing elements at our disposal Heterogeneous universe

Desktops, mainframes, PDAs,Smart appliancesWearable computersSensors and actuators

Not just keyboards: voice/speech/gesture interfaces

Convergence of communications, information, computing

Mobile users


© David Garlan

Consequences for Software & Systems

Increasingly, systems must be composed of parts built by many

organizations run continuously operate in environments where resources

change frequently be usable by mobile users

For such systems, traditional methods break down Exhaustive verification and testing not possible Manual reconfiguration does not scale Off-line repair and enhancement is not an option


© David Garlan

What Has to Change?

Goal: systems automatically and optimally adapt to handle changes in user needs variable resources faults user mobility

In short, systems must be come self-** = managing, healing, protecting, adaptive, configuring, etc.


© David Garlan

But how?

Move from open-loop to closed-loop systems

?

Executing System

Control Mechanisms

SenseAffect

Systems monitor their own behavior, and have engineered control mechanisms to detect problems and effect repairs.


© David Garlan

Architecture-Driven Adaptation

ConstraintEvaluator

RepairHandler

Interpreter

Architecture Layer

Arch. Model

GenericAPI

MonitoringMechanisms

Executing System

Implementation Layer

Translator

RuntimeManager


© David Garlan

Example

Spare Servers

Spare Servers

Client 6

Client 2

Client 1

Client 4

Req-queue

Req-queue: ftp.server.com

srv1.server.comsrv2.server.com

srv3.server.comServerGrp1

Client 3

Client 5


© David Garlan

Software Architecture

Graph of interacting components Components Connectors

Properties capture semantics E.g., performance

properties, protocols Tools to analyze

Style conformance QoS conformance

Assumptions System can be monitored System can be modified at

run time

User1 User2 User3 User4 User5 User6

ServerGrp1 ServerGrp2 ServerGrp3

Component ServerGrp1(ServerGrpRep)

Server1 Server2 Server3


© David Garlan

Client1 Client2 Client3 Client4Client5 Client6

ServerGrp1 ServerGrp2ServerGrp3

Run-Time Monitoring & Repair


Server1 Server2


Server1 Server2 Server3

L1 = 427 L2 = 603 L3 = 1156 L4 = 658 L5 = 444 L6 = 470

B6 = 45

us = 60.7 %

Ts = 17 ms

us = 26.0 %

Ts = 14 ms


© David Garlan

Making RepairsA

rchit

ect

ure

Arc

hit

ect

ure

Layer

Layer

Repairer (Tailor)

Repairer (Tailor)

Interpreter Interpreter

Translator Translator

Analyzer (Armani)Analyzer (Armani)

Mathilde User2 User3 User4 User5 User6


4 second latency

Client6.avg_latency = 3.1

True?: avg_latency <= max_latency

False! Find the right tactic

Client6.moveClient (ServerGrp2)

User1 User2 User3 User4 User5 User6


Move impl


© David Garlan

A Simple Example

Planning a trip search web for locations compare alternatives on spreadsheet book tickets … consult personal calendar

Suppose I move from my office to my home Today I must

stop all of the applications, being sure to save the files transfer data restart the applications

And it’s worse if I have my calendar on my PDA have different platforms in my home and office want to involve my wife in the process


© David Garlan

Problem

Humans interact at too low a level with computer URLs, filenames, program names, etc. very explicit, step-by-step interactions like programming in machine language!

Result brittle behavior many details change with failures, platform

changes, substitution of “equivalent” component, etc.

consumes user’s attention


© David Garlan

Solution: Task-Driven Computing

Support user intentions capture high-level intent as tasks raise level of abstraction of user interactions

Support mobility suspend/resume on different platforms and

locations dynamically reconfigure to match available

resources Support proactivity

active guidance from system corrections, alternatives, persistence


© David Garlan

A New Layer of System Structure

Users

Physical Devices

OS/Network

Services

Tasks

Physical Devices

OS/Network

Applications

Users


© David Garlan

Adapting to Environment

Environment A

Inst

anti

atio

n

Fee

db

ack

User

Task Space

Taskaccess

Fee

db

ack

Instantiation

Feedback

Mobility/Resource change

Environment B

FeedbackInstantiation

Mobility/Resource change

Environment C


© David Garlan

Task

Service

ServiceService

Research Challenges

Task management Expressive task definition language Mechanisms for tracking, controlling task state Support for multi-user task coordination, incl.

privacy Task realization

Rapid creation of tasks as coalitions of services Optimal use of available resources

Task adaptation Rapid reconfiguration in presence of

environment change Automatic recovery from system errors


© David Garlan

Model-based Adaptation

Run-time ManagerRun-time Manager

Model Mgr.Model Mgr.

Task ManagerTask ManagerTask model

Run-time system

System architecture


© David Garlan

The Problem

Refinement of architectures to implementations is difficult

Past approaches Formal refinement theory

Not practical for most industrial developers Code generation

Not feasible for most systems Build and check

Hard to reverse-architect a system from code

New approach: provide user with 2-tiered model Top tier captures abstract functionality Bottom tier captures implementation dependencies Various manifestations: e.g, Model-Driven Architecture

(MDA)


© David Garlan

Example: Ford Automotive Control Systems

Top tier Control theorists design space Components are abstract: e.g., ignition controller,

temperature sensor, brake actuator Connectors are simple: indicate which components

talk to which other components Designs reusable across many car models

Bottom tier Real components from a library


© David Garlan

Missing Tools

Design tools Enforce constraints Provide visual views Do analyses

Refinement tools Create low-level connections from high level ones

Typically an expansion factor of 100!!!Check for missing connections

Provide access to respositories of componentsThousands of components

Limit design spaceRelationships between components are complex

Estimate savings: in 1 week do what took 6 months before


© David Garlan

Example 2: MDS

NASA Space Software Architecture Mission Data Systems To be used in 2009 mission to Mars

Top tier: “state analysis” Domain experts design control software in terms of

sensors actuators, etc. Worry about properties like power consumption,

failures, state estimation algorithms Bottom tier: component framework

Bind abstract components to real code Add much of the glue through framework libraries


© David Garlan

Other Frontiers

Cognitive Computing Building in automated assistance that can learn

what the user wants Compositional Connectors

Transformational approaches to software architecture

Architecture Conformance Checking How do you know your implementation has the

architecture you designed? Value-based Architecture

How do you balance competing economic tradeoffs in making architectural decisions

Key sub-problem: multi-model architectural design

1 Software Architectures © David Garlan Talk Outline Part 1: Overview of Software Architecture ...

Documents

Transcript of 1 Software Architectures © David Garlan Talk Outline Part 1: Overview of Software Architecture ...