1 Software Architectures © David Garlan Talk Outline Part 1: Overview of Software Architecture ...
-
date post
18-Dec-2015 -
Category
Documents
-
view
219 -
download
0
Transcript of 1 Software Architectures © David Garlan Talk Outline Part 1: Overview of Software Architecture ...
1Software Architectures
© David Garlan
Talk Outline
Part 1: Overview of Software Architecture What is software architecture? What are essential architectural concepts?
Part 2: Modeling and Analysis Formal representations of architecture Formal analysis and model checking of
architectures UML
Part 3: Selected Frontiers Ubiquitous Computing Mobility and Task-based Systems Two-tiered methods (MDA) Others
2Software Architectures
© David Garlan
Kinds of Analyses
ConsistencyDo the parts fit together?
CompletenessAre parts missing?
RefinementCan one architecture be substituted for another?
Verification and Architectural ConformanceDoes an implementation conform to the architecture?
System-wide behavior, performance, reliability, etc.What is the aggregate behavior of a system, given the behaviors
of the parts?
Evaluating design choices and trade-offsHow do we decide what architectural decisions to make?
3Software Architectures
© David Garlan
Analyzing Architectural Behavior
Much of the architectural research effort has been devoted to modeling and analysis of architectural behavior Defines abstract events at the architectural level Usually identifies protocols of interaction for
connectors Based on various modeling formalisms
Process algebras Chemical Abstract Machine Statecharts Pre/post conditions Category theory (ComUnity) … and many others
WRIGHT Configurations
c
cs
s
Configuration SimpleClientServer
Component ServerPort provide: <provide protocol>Computation: <Server behavior>
Component ClientPort request: <request protocol>Computation: <Client behavior>
Connector C-S-connectorRole client: <request protocol>Role server: <server protocol>Glue <glue protocol>
Instancess: Serverc: Client cs: C-S-connector
Attachmentss.provide as cs.server
c.request as cs.clientend SimpleClientServer
Component types
Connector
types
Instances
Attachments
WRIGHT StylesStyle ClientServerStyle
Connector C-S-connector (n: 1..)
Role client1..n: <request protocol>Role server: <server protocol>Glue <glue protocol>
Constraints <constraints>end ClientServerStyle
System SimpleClientServerStyle ClientServerStyleComponent Server ...Component Client ...Instances …
cs: C-S-connector(1)Attachments ...
end SimpleClientServer
Style inclusion
Parameterized connectors
Connector instantiation
6Software Architectures
© David Garlan
Specifying Behavior (Protocols)
Events: request, newValue?y
Processes: P, WorldModel, Client, §
Sequence: e P, P;Q
Choice: P Q, P [] Q
Quantification: [] x: S P(x)
Notation (based on CSP):
7Software Architectures
© David Garlan
A Client-Server Connector
Connector ClientServer
Role Client = open Operate §
where Operate = request result?x Operate
close §
Role Server = open Operate §
where Operate = request result!x Operate
close §
Glue = Client.open Server.open Glue
[] Client.close Server.close Glue
[] Client.request Server.request Glue
[] Server.result?x Client.result!x Glue
[] §
8Software Architectures
© David Garlan
A Pipe Connector
Connector Pipe Role Writer = (write!x Writer) (close §)Role Reader = Read Exit
where Read = (read?x Reader) [] (eof Exit)Exit = close §
Glue = Writer.write?x Glue []Reader.read!y Glue []Writer.close ReadOnly []Reader.close WriteOnly
where ...
9Software Architectures
© David Garlan
A Pipe Connector (continued)
where
WriteOnly =
Writer.write?x WriteOnly [] Writer.close §
andReadOnly =
Reader.read!y ReadOnly
[] Reader.eof Reader.close §[] Reader.close §
10Software Architectures
© David Garlan
Components
Component ReadOneFilter =Port ReadOne = (read close §) (close §)
Port WriteOne = write close §
Computation = …
Component DataFile
Port File = Action [] Exit
where Action = (read File [] write File)
and Exit = close §
Computation = …
11Software Architectures
© David Garlan
Analyzing WRIGHT Specifications
Consistency Connector is deadlock-free
roles do not conflict with each other or the glue Component interface matches its computation
ports are projections of the component behavior Compatibility
Port-role compatibility port satisfies requirements of role
Instance-style compatibility configuration obeys style constraints
Completeness Unattached port check
does a port require a connection
Most of these properties can be checked automatically using model checking
12Software Architectures
© David Garlan
Consistency Checking
Connector SharedData
Role User1 = (set User1) (get User1) §
Role User2 = (set User2) (get User2) §
Glue = User1.set Continue [] User2.set Continue [] §
where Continue =
User1.set Continue [] User2.set Continue []
User1.get Continue [] User2.get Continue
[] §
Deadlock occurs when both users choose to “get” initially.
13Software Architectures
© David Garlan
Compatibility Checking
When can a port be legally attached to as a role?Yes:
Port P = (push P) §Role R = (push R) (pop R) §
No:
Port P = (push P) §Role R = init R'
where R' = (push R') (pop R') §
So are the ports of the previous filters
compatible with the Pipe roles? (ans: yes)
14Software Architectures
© David Garlan
Automating WRIGHT Analyses
Most of the checks can be automated for finite models
We use FDR from Formal Systems, Ltd. commercial model checker for CSP used extensively by Inmos
Our tools translate Wright into FDR syntax and then invoke predefined tests flattens structure; expands names calculates alphabets adds explicit types for channels
Can also investigate other properties directly through FDR e.g., satisfaction of some particular trace
15Software Architectures
© David Garlan
How FDR Works
FDR checks whether one process refines another refinement means “is substitutable for”
if P = (e P f P) and Q = e Q then Q refines Pif P = (e P f P) and Q = e Q then Q doesn’t refine P
several flavors: trace, failures, failure/divergences To check some property of process P
find a process Q that embodies just that property hide irrelevant parts of P, and rename, to give P’ check that the P’ refines Q
Example: check deadlock freedom of process P with respect to events in set SQ = e QP’ = P \ diff(alpha_P, S) [[ e x | x S ]]
16Software Architectures
© David Garlan
Example: Distributed Simulation
Distributed simulation simulation is a multi-billion $ industry critical problem for DoD (and others) is multi-vendor
interoperability envision ~1000 cooperating simulations
The "High-Level Architecture” (HLA) Defense Modeling and Simulation Office (DMSO) standard -- about 250 pages http://www.dmso.mil/docslib/hla each page defines 1 API call 3-year effort high visibility
Sim1 Sim2 Sim3
17Software Architectures
© David Garlan
The HLA Architecture
Federate Federate ...
FedInterface
Runtime Interface(RTI)
18Software Architectures
© David Garlan
WRIGHT View: an RTI Connector
Runtime Interface(RTI)FedInterface
(Role)
Glue
19Software Architectures
© David Garlan
20Software Architectures
© David Garlan
The Wright Specification
Style HLA
Connector RTI(nsim:1..)
Role Fed1..nsim = FedInterface
Glue = RTIBehavior
Constraints
r:Connectors | {r} = ConnectorsType(r) = RTI
end HLA
21Software Architectures
© David Garlan
FedInterface
FedInterface = FedMgmt || DeclMgmt || ObjMgmt || OwnMgmt
|| TimeMgmt || FedJoined || ControlPausewhere
FedMgmt = … DeclMgmt = ……
General structure follows this patternDeclMgmt =
InitiateDeclActivity
[] WaitForDeclActivity [] resignFedExecution §
22Software Architectures
© David Garlan
RTIBehavior
RTIBehavior = MiniProtocols || JoinedFeds{} || HandleMembership
where
MiniProtocols =
PauseProtocol || SaveProtocol || SubscribeProtocol || OwnershipProtocol || ObjectProtocol || OtherBehavior
Example:PauseProtocol =
([] i:1..nsim Fedi.requestPause
memberFeds?S pausedFeds?T
(; j:(S \ T) Fedj.schedulePause §) ; PauseProtocol
[] ([] i:1..nsim Fedi.requestResume …[] §
23Software Architectures
© David Garlan
FedRunning = requestPause FedRunning schedulePause pauseAchieved FedPaused
HandlePauseS = i: S [] Fedi.requestPause
( i: S ; Fedi.schedulePause §) ; HandlePauseS
FedPaused = requestResume FedPaused scheduleResume resumeAchieved FedRunning
Consistency Check 2: Paused on Join
JoinFed = joinFedExecution FedRunning
Role
___________
Glue
24Software Architectures
© David Garlan
Pause on Join
Federate Federate
RTI
(1) joinFedExecution(2) requestPause(3) schedulePause(4) pauseAchieved
(5) joinFedExecution(6) requestPause
25Software Architectures
© David Garlan
Oops!
Federate Federate
RTI
(1) joinFedExecution(2) requestPause(3) schedulePause(4) pauseAchieved
(7) schedulePause
(5) joinFedExecution(6) requestPause
26Software Architectures
© David Garlan
Results
Modeled 5/6 of HLA behavior in Wright about 20 pages initially part of Robert Allen’s Ph.D. thesis identified about 12 problems later full-time staff member took over major work
Identified over 80 issues clarified design especially in areas of
synchronization and time stamping ended up authoring parts of published standard also used Z and StateCharts to model some
aspects of the architecture some of our formal model included in current
documentation
27Software Architectures
© David Garlan
Classification of Findings
Ambiguity/imprecise wording 28
critical reading, Wright, other Inadequate pre-/post-conditions 12
critical reading Missing information 20
critical reading, Wright, FDR Race conditions 5
FDR, Wright Errors (invariant violation, unexpected conseqs) 11
critical reading, Wright, other Misc (typos, impl warnings, docn inconsistencies) 11
critical reading ,Wright, FDR 87 issues
28Software Architectures
© David Garlan
Other Examples
Java Phone Enterprise Java Beans
See papers on www.cs.cmu/edu/~able
29Software Architectures
© David Garlan
What about UML?
Unified Modeling Language (UML) emerging standard for object-oriented modeling collection of many different notations, mostly
graphicalobject diagrams, class diagrams, sequence diagrams,
… very hot area in the oo community
Code
Software Architecture
Requirements
UML???
30Software Architectures
© David Garlan
Arch Description and UML
Requirements
Code
ADLs UML
31Software Architectures
© David Garlan
Strategies to EncodeArchitectural Designs in UML
How do you model an architectural component type and architectural component instance? 1. classes and instances2. stereotypes and classes3. classes and classes4. UML components5. packages (subsystems)
… and for each of these strategies there are many sub-alternatives for connectors, interfaces, styles, representations, etc.
32Software Architectures
© David Garlan
UML Limitations
All of these solutions suffer from one or more of the following problems
1. Incompleteness no home for essential information (associated
with previous list of first-class entities)2. Illegibility
can find first-class home for architectural info, but the result is a visual (and conceptual) mess
3. Semantic mismatch may look visually clean, but underlying
intuitions are at odds4. Unanalyzability
even when you can represent it, and it looks nice, there is nothing you can do with it (except use it as documentation)
33Software Architectures
© David Garlan
Specific Problem Areas
Multiple interfaces of the same type Note Java or Com interfaces won’t work
Scoped substructure Note collaboration diagrams won’t work
First-class connectors Note associations aren’t sufficient, since can’t
represent substructure, or define independently of context
Styles Profiles are too heavy-handed; packages provide
aggregation, but can’t support restrictions
34Software Architectures
© David Garlan
Talk Outline
Part 1: Overview of Software Architecture What is software architecture? What are essential architectural concepts?
Part 2: Modeling and Analysis Formal representations of architecture Formal analysis and model checking of
architectures UML
Part 3: Selected Frontiers Ubiquitous Computing Mobility and Task-based Systems Two-tiered methods (MDA) Others
35Software Architectures
© David Garlan
Frontier 1: Ubiquitous Computing
Computers and information potentially everywhere Thousands of computing elements at our disposal Heterogeneous universe
Desktops, mainframes, PDAs,Smart appliancesWearable computersSensors and actuators
Not just keyboards: voice/speech/gesture interfaces
Convergence of communications, information, computing
Mobile users
36Software Architectures
© David Garlan
Consequences for Software & Systems
Increasingly, systems must be composed of parts built by many
organizations run continuously operate in environments where resources
change frequently be usable by mobile users
For such systems, traditional methods break down Exhaustive verification and testing not possible Manual reconfiguration does not scale Off-line repair and enhancement is not an option
37Software Architectures
© David Garlan
What Has to Change?
Goal: systems automatically and optimally adapt to handle changes in user needs variable resources faults user mobility
In short, systems must be come self-** = managing, healing, protecting, adaptive, configuring, etc.
38Software Architectures
© David Garlan
But how?
Move from open-loop to closed-loop systems
?
Executing System
Control Mechanisms
SenseAffect
Systems monitor their own behavior, and have engineered control mechanisms to detect problems and effect repairs.
39Software Architectures
© David Garlan
Architecture-Driven Adaptation
ConstraintEvaluator
RepairHandler
Interpreter
Architecture Layer
Arch. Model
GenericAPI
MonitoringMechanisms
Executing System
Implementation Layer
Translator
RuntimeManager
40Software Architectures
© David Garlan
Example
Spare Servers
Spare Servers
Client 6
Client 2
Client 1
Client 4
Req-queue
Req-queue: ftp.server.com
srv1.server.comsrv2.server.com
srv3.server.comServerGrp1
Client 3
Client 5
41Software Architectures
© David Garlan
Software Architecture
Graph of interacting components Components Connectors
Properties capture semantics E.g., performance
properties, protocols Tools to analyze
Style conformance QoS conformance
Assumptions System can be monitored System can be modified at
run time
User1 User2 User3 User4 User5 User6
ServerGrp1 ServerGrp2 ServerGrp3
Component ServerGrp1(ServerGrpRep)
Server1 Server2 Server3
42Software Architectures
© David Garlan
Client1 Client2 Client3 Client4Client5 Client6
ServerGrp1 ServerGrp2ServerGrp3
Run-Time Monitoring & Repair
Component ServerGrp2(ServerGrpRep)
Server1 Server2
Component ServerGrp1(ServerGrpRep)
Server1 Server2 Server3
L1 = 427 L2 = 603 L3 = 1156 L4 = 658 L5 = 444 L6 = 470
B6 = 45
us = 60.7 %
Ts = 17 ms
us = 26.0 %
Ts = 14 ms
43Software Architectures
© David Garlan
Making RepairsA
rchit
ect
ure
Arc
hit
ect
ure
Layer
Layer
Repairer (Tailor)
Repairer (Tailor)
Interpreter Interpreter
Translator Translator
Analyzer (Armani)Analyzer (Armani)
Mathilde User2 User3 User4 User5 User6
ServerGrp1 ServerGrp2 ServerGrp3
4 second latency
Client6.avg_latency = 3.1
True?: avg_latency <= max_latency
False! Find the right tactic
Client6.moveClient (ServerGrp2)
User1 User2 User3 User4 User5 User6
ServerGrp1 ServerGrp2 ServerGrp3
Move impl
44Software Architectures
© David Garlan
Frontier 2: Mobility
45Software Architectures
© David Garlan
A Simple Example
Planning a trip search web for locations compare alternatives on spreadsheet book tickets … consult personal calendar
Suppose I move from my office to my home Today I must
stop all of the applications, being sure to save the files transfer data restart the applications
And it’s worse if I have my calendar on my PDA have different platforms in my home and office want to involve my wife in the process
46Software Architectures
© David Garlan
Problem
Humans interact at too low a level with computer URLs, filenames, program names, etc. very explicit, step-by-step interactions like programming in machine language!
Result brittle behavior many details change with failures, platform
changes, substitution of “equivalent” component, etc.
consumes user’s attention
47Software Architectures
© David Garlan
Solution: Task-Driven Computing
Support user intentions capture high-level intent as tasks raise level of abstraction of user interactions
Support mobility suspend/resume on different platforms and
locations dynamically reconfigure to match available
resources Support proactivity
active guidance from system corrections, alternatives, persistence
48Software Architectures
© David Garlan
A New Layer of System Structure
Users
Physical Devices
OS/Network
Services
Tasks
Physical Devices
OS/Network
Applications
Users
49Software Architectures
© David Garlan
Adapting to Environment
Environment A
Inst
anti
atio
n
Fee
db
ack
User
Task Space
Taskaccess
Fee
db
ack
Instantiation
Feedback
Mobility/Resource change
Environment B
FeedbackInstantiation
Mobility/Resource change
Environment C
50Software Architectures
© David Garlan
Task
Service
ServiceService
Research Challenges
Task management Expressive task definition language Mechanisms for tracking, controlling task state Support for multi-user task coordination, incl.
privacy Task realization
Rapid creation of tasks as coalitions of services Optimal use of available resources
Task adaptation Rapid reconfiguration in presence of
environment change Automatic recovery from system errors
51Software Architectures
© David Garlan
Model-based Adaptation
Run-time ManagerRun-time Manager
Model Mgr.Model Mgr.
Task ManagerTask ManagerTask model
Run-time system
System architecture
52Software Architectures
© David Garlan
Frontier 3: Two-Tiered Models
53Software Architectures
© David Garlan
The Problem
Refinement of architectures to implementations is difficult
Past approaches Formal refinement theory
Not practical for most industrial developers Code generation
Not feasible for most systems Build and check
Hard to reverse-architect a system from code
New approach: provide user with 2-tiered model Top tier captures abstract functionality Bottom tier captures implementation dependencies Various manifestations: e.g, Model-Driven Architecture
(MDA)
54Software Architectures
© David Garlan
Example: Ford Automotive Control Systems
Top tier Control theorists design space Components are abstract: e.g., ignition controller,
temperature sensor, brake actuator Connectors are simple: indicate which components
talk to which other components Designs reusable across many car models
Bottom tier Real components from a library
55Software Architectures
© David Garlan
Missing Tools
Design tools Enforce constraints Provide visual views Do analyses
Refinement tools Create low-level connections from high level ones
Typically an expansion factor of 100!!!Check for missing connections
Provide access to respositories of componentsThousands of components
Limit design spaceRelationships between components are complex
Estimate savings: in 1 week do what took 6 months before
56Software Architectures
© David Garlan
Example 2: MDS
NASA Space Software Architecture Mission Data Systems To be used in 2009 mission to Mars
Top tier: “state analysis” Domain experts design control software in terms of
sensors actuators, etc. Worry about properties like power consumption,
failures, state estimation algorithms Bottom tier: component framework
Bind abstract components to real code Add much of the glue through framework libraries
57Software Architectures
© David Garlan
Other Frontiers
Cognitive Computing Building in automated assistance that can learn
what the user wants Compositional Connectors
Transformational approaches to software architecture
Architecture Conformance Checking How do you know your implementation has the
architecture you designed? Value-based Architecture
How do you balance competing economic tradeoffs in making architectural decisions
Key sub-problem: multi-model architectural design