π-AAL: An Architecture Analysis Language for Formally Specifying and Verifying Structural and Behavioral Properties of Software Architectures Presented by Carlos Rubio Medrano CS5381 Topics in Software Design: Software Architecture Department of Computer Science The University of Texas at El Paso April 2008 Radu Mateescu and Flavio Oquendo

Outline Problem Description Approach Description Property Specification User-Defined Properties Examples Questions? Group Exercise

Outline Problem Description Approach Description Property Specification User-Defined Properties Examples Questions? Group Exercise

Problem Description ADLs good to express structural representations Limited support for architectural properties, e.g., actions a system executes relations among actions behaviors of components and connectors Limited support for automatic verification and validation

Outline Problem Description Approach Description Property Specification User-Defined Properties Examples Questions? Group Exercise

Approach Description Architecture Analysis Languages (AAL) complement ADLs specify and support semantic properties interleave structural and behavioral aspects well-suited for automated verification π-AAL extends π-ADL to specify structural and behavioral properties

π-AAL Formal language: based on mathematics Core abstract and enhanced syntax with well- defined semantics Based on μ-calculus Combines predicate and temporal logic Intended for model checking and theorem proving Approach Description

Illustrative Architecture F1F2P i1o1i2o2 Approach Description

π-AAL Semantic Model Approach Description Predicate-extended labeled transition system (pLTS) StateSet, non empty set of states ActionSet, set of actions TransitionRelationSet, set of transition relations of the form StateSet X ActionSet X StateSet PredicateSetLabelling, set of all predicates true in a given state of StateSet

pLTS of Illustrative Architecture Approach Description

Outline Problem Description Approach Description Property Specification User-Defined Properties Examples Questions? Group Exercise

Property Specification Properties specified in terms of logical formulas Predicate formulas Action formulas Regular formulas State formulas Connection formulas

Property Specification Properties specified in terms of logical formulas Predicate formulas Action formulas Regular formulas State formulas Connection formulas

Predicate Formulas Used to write formulas over a set of data value expressions value ::= variable | function (value 1, …, value n ) where function(value 1, …, value n ) can be any in-line data expression Property Specification

Predicate Formulas Functions applied to collections use navigational operators Property Specification value ::= collectionValue. function (value 1,…,value 2 ) | collectionValue −> function (value 1,…,value 2 ) where collectionValue is a sequence, set, or bag

Predicate Formulas Defined by the following syntax Property Specification predicateFormula ::= value | false | not predicateFormula | predicateFormula1 or predicateFormula 2 | exists variable : Type. predicateFormula where value is of boolean type and boolean literals are false and true

Predicate Formulas Useful for expressing structural properties, e.g., Property Specification forall f1, f2 : Filter. forall c1, c2 : Connection. ( (f1.connections −> includes c1) and (f2.connections −> includes c2) ) implies not connect (c1, c2) - A filter cannot be connected to another filter

Property Specification Properties specified in terms of logical formulas Predicate formulas Action formulas Regular formulas State formulas Connection formulas

Action Formulas Used to write action predicate formulas over connections and data values Property Specification actionFormula ::= action | actionWithWildcard | unobservable | false | not actionFormula | actionFormula 1 or actionFormula 2 | exists variable : Type. actionFormula action ::= via name send value 1,…, value n | via name receive value 1,…, value n actionWithWildcard ::= via name send any | via name receive any

Property Specification Properties specified in terms of logical formulas Predicate formulas Action formulas Regular formulas State formulas Connection formulas

Regular Formulas Property Specification Used to write regular expressions defined over action formulas regularFormula ::= actionFormula | regularFormula 1. regularFormula 2 | regularFormula 1 | regularFormula 2 | regularFormula*

Regular Formulas Property Specification Example (via i2 send any). (not (via o2 receive any)). (via i1 send any) Denotes the relation { (s7, s5) }, source and target states of sequence s7 -> s6 -> s2 -> s5

Property Specification Properties specified in terms of logical formulas Predicate formulas Action formulas Regular formulas State formulas Connection formulas

State Formulas Property Specification Used to write formulas over regular formulas and value variables stateFormula ::= predicateFormula | not stateFormula | stateFormula1 or stateFormula2 | exists variable : Type. stateFormula | 〈 regularFormula 〉 stateFormula | Variable (value) | (minimal fixpoint Variable (parameter : Type).stateFormula) (value)

State Formulas Property Specification Example: communication protocol -no reception before an emission initially [ (not (via s send any))*. (via r receive any) ] false

Property Specification Properties specified in terms of logical formulas Predicate formulas Action formulas Regular formulas State formulas Connection formulas

Connection Formulas Property Specification Used to write formulas on connections as first- class elements Tailored for dynamic changes in the architectural structure Parameter cIn denotes set of sending connections Parameter cOut denotes set of receiving connections

Outline Problem Description Approach Description Property Specification User-Defined Properties Examples Questions? Group Exercise

User-Defined Properties Abstract syntax: PropertyDefinition ::= with { name : Abstraction } name is property (x 1,…,x n ) { Formula } PropertyApplication ::= using { abstractionValue } verify { Formula }

Outline Problem Description Approach Description Property Specification User-Defined Properties Examples Questions? Group Exercise

Examples F1F2P i1o1i2o2

Examples component Filter is abstraction() { type Data is Any. port is { connection input is in(Data). connection output is out(Data) } assuming { protocol is { ( via input receive any. true*. via output send any )* } }. behaviour is { transform is function(d : Data) : Data { unobservable }. via input receive d : Data. via output send transform(d). behaviour() }

Examples connector Pipe is abstraction() { type Data is Any. port is { connection input is in(Data). connection output is out(Data) } assuming { protocol is { (via input receive d : Data. via output send d)* } }. behaviour is { via input receive d : Data. via output send d. behaviour() }

Examples architecture Pipeline is abstraction() { behaviour is compose { F1 is Filter() and P is Pipe() and F2 is Filter() } where { F1::input as i1 and P::input unifies F1::output as o1 and P::output unifies F2::input as i2 and F2::output as o2 }

Examples with { pl : Pipeline } connectivityBetweenFilters is property() { -- a filter port cannot be connected to another filter port pl.components −> forall { f1, f2 | f1.ports.connections −> forall { cf1 | f2.ports.connections −> forall { cf2 | not (cf1 unifies cf2) } }

Outline Problem Description Approach Description Property Specification User-Defined Properties Examples Questions? Group Exercise

Questions?

Outline Problem Description Approach Description Property Specification User-Defined Properties Examples Questions? Group Exercise

Use π-ADL and π-AAL to define a C2-style architecture, called C2PiAAL with the following: Two components, Artist and ADTController One connector, C2Connector Artist sends updateADT request ADTController sends ADTUpdated notification upon receiving updateADT and applying function processMessage(updateADT) C2Connector simply forwards all messages to all component connected to it Create a property, called C2ConnectionSafety, to prevent components from connecting to each other

Group Exercise Artist ADTController UpdateADTADTUpdated