Behavior models for software architecture

Monterey Phoenix (MP) is an approach to formal software system architecture specification based on behavior models. Architecture modeling focuses not only on the activities and interactions within the system, but also on the interactions between the system and its environment, providing an abstraction for interaction specification. The behavior of the system is defined as a set of events (event trace) with two basic relations: precedence and inclusion. The structure of possible event traces is specified using event grammars and other constraints organized into schemas. The separation of the interaction description from the components behavior is an essential MP feature. The schema framework is amenable to stepwise architecture refinement, reuse, composition, visualization, and multiple view extraction. The approach yields a basis for executable architecture specification supporting early testing and verification, systematic use case generation, and performance estimates with automated tools.Consortium for Robotics and Unmanned Systems Education and Research (CRUSER)Consortium for Robotics and Unmanned Systems Education and Research (CRUSER)Approved for public release; distribution is unlimited.Approved for public release; distribution is unlimited

Context sensitive user interfaces

This paper presents a conceptual design model for user interfaces (MASS1) and a general formalism for dialogue specification (Interaction Scripts) which are the most important components of an approach to the methodological, iterative design of Interactive Systems from formal, model-based specification of both the application and the User Interface (UI). This approach allows the integration of both dialogue and application semantics from the beginning of the design process, by using prototypes derived from both specifications. Assuming that all the application semantics is available at early design stages, the MASS model defines a set of guidelines that will enforce the designer to create user interfaces that will present a prophylactic instead of the usual therapeutic behaviour. By a prophylactic behaviour it is meant, metaphorically, that the UI will exhibit a behaviour that prevents and avoids both syntactic and semantic user errors, in contrast with the most usual therapeutic, or error recovery, behaviour. The dialogue specification formalism(Interaction Scripts) despite being general, in the sense that it may be applied to the specification of any kind of dialogue, is specially suited to the specification of UIs with the behaviour prescribed by the MASS design model. In addition, it is independent from concrete environment details, therefore allowing for different implementations of the same specification, that is, different looks and feels. The operational semantics of the Interaction Script notation is also presented in terms of Petri-Nets that are automatically generated from the Interaction Script specification of the dialogue controller

Reactive system verification case study: Fault-tolerant transputer communication

A reactive program is one which engages in an ongoing interaction with its environment. A system which is controlled by an embedded reactive program is called a reactive system. Examples of reactive systems are aircraft flight management systems, bank automatic teller machine (ATM) networks, airline reservation systems, and computer operating systems. Reactive systems are often naturally modeled (for logical design purposes) as a composition of autonomous processes which progress concurrently and which communicate to share information and/or to coordinate activities. Formal (i.e., mathematical) frameworks for system verification are tools used to increase the users' confidence that a system design satisfies its specification. A framework for reactive system verification includes formal languages for system modeling and for behavior specification and decision procedures and/or proof-systems for verifying that the system model satisfies the system specifications. Using the Ostroff framework for reactive system verification, an approach to achieving fault-tolerant communication between transputers was shown to be effective. The key components of the design, the decoupler processes, may be viewed as discrete-event-controllers introduced to constrain system behavior such that system specifications are satisfied. The Ostroff framework was also effective. The expressiveness of the modeling language permitted construction of a faithful model of the transputer network. The relevant specifications were readily expressed in the specification language. The set of decision procedures provided was adequate to verify the specifications of interest. The need for improved support for system behavior visualization is emphasized

From distributed coordination to field calculus and aggregate computing

open6siThis work has been partially supported by: EU Horizon 2020 project HyVar (www.hyvar-project .eu), GA No. 644298; ICT COST Action IC1402 ARVI (www.cost -arvi .eu); Ateneo/CSP D16D15000360005 project RunVar (runvar-project.di.unito.it).Aggregate computing is an emerging approach to the engineering of complex coordination for distributed systems, based on viewing system interactions in terms of information propagating through collectives of devices, rather than in terms of individual devices and their interaction with their peers and environment. The foundation of this approach is the distillation of a number of prior approaches, both formal and pragmatic, proposed under the umbrella of field-based coordination, and culminating into the field calculus, a universal functional programming model for the specification and composition of collective behaviours with equivalent local and aggregate semantics. This foundation has been elaborated into a layered approach to engineering coordination of complex distributed systems, building up to pragmatic applications through intermediate layers encompassing reusable libraries of program components. Furthermore, some of these components are formally shown to satisfy formal properties like self-stabilisation, which transfer to whole application services by functional composition. In this survey, we trace the development and antecedents of field calculus, review the field calculus itself and the current state of aggregate computing theory and practice, and discuss a roadmap of current research directions with implications for the development of a broad range of distributed systems.embargoed_20210910Viroli, Mirko; Beal, Jacob; Damiani, Ferruccio; Audrito, Giorgio; Casadei, Roberto; Pianini, DaniloViroli, Mirko; Beal, Jacob; Damiani, Ferruccio; Audrito, Giorgio; Casadei, Roberto; Pianini, Danil

Software components and formal methods from a computational viewpoint

Software components and the methodology of component-based development offer a promising approach to master the design complexity of huge software products because they separate the concerns of software architecture from individual component behavior and allow for reusability of components. In combination with formal methods, the specification of a formal component model of the later software product or system allows for establishing and verifying important system properties in an automatic and convenient way, which positively contributes to the overall correctness of the system. Here, we study such a combined approach. As similar approaches, we also face the so-called state space explosion problem which makes property verification computationally hard. In order to cope with this problem, we derive techniques that are guaranteed to work in polynomial time in the size of the specification of the system under analysis, i.e., we put an emphasis on the computational viewpoint of verification. As a consequence, we consider interesting subclasses of component-based systems that are amenable to such analysis. We are particularly interested in ideas that exploit the compositionality of the component model and refrain from understanding a system as a monolithic block. The assumptions that accompany the set of systems that are verifiable with our techniques can be interpreted as general design rules that forbid to build systems at will in order to gain efficient verification techniques. The compositional nature of software components thereby offers development strategies that lead to systems that are correct by construction. Moreover, this nature also facilitates compositional reduction techniques that allow to reduce a given model to the core that is relevant for verification. We consider properties specified in Computation Tree Logic and put an emphasis on the property of deadlock-freedom. We use the framework of interaction systems as the formal component model, but our results carry over to other formal models for component-based development. We include several examples and evaluate some ideas with respect to experiments with a prototype implementation

Identification of Biological Regulatory Networks from Process Hitting models

International audienceQualitative formalisms offer a well-established alternative to the more tradi-tionally used differential equation models of Biological Regulatory Networks (BRNs). These formalisms led to numerous theoretical works and practical tools to understand emerging behaviors. The analysis of the dynamics of very large models is however a rather hard problem, which led us to previously in-troduce the Process Hitting framework (PH), which is a particular class of non-deterministic asynchronous automata network (or safe Petri nets). Its major advantage lies in the efficiency of several static analyses recently designed to assess dynamical properties, making it possible to tackle very large models. In this paper, we address the formal identification of qualitative models of BRNs from PH models. First, the inference of the Interaction Graph from a PH model summarizes the signed influences between the components that are effective for the dynamics. Second, we provide the inference of all René-Thomas models of BRNs that are compatible with a given PH. As the PH allows the specification of nondeterministic interactions between components, our inference emphasizes the ability of PH to deal with large BRNs with incomplete knowledge on interactions, where Thomas's approach fails because of the combinatorics of parameters. The inference of corresponding Thomas models is implemented using An-swer Set Programming, which allows in particular an efficient enumeration of (possibly numerous) compatible parametrizations

Interface specification methods for software components

This report presents an interface specification language developed as a part of the LIME-project (LightweIght formal Methods for distributed component-based Embedded systems) and a tool implementation to support it. The intention is to provide a methodology that is lightweight and complementary to the existing means of quality assurance in a software process. The specification language provides a mechanism for specifying both external usage of a software component, as well as the internal behavior of a one. The former is referred to as interface specification, and the latter to as library specification. Should the interface specification be breached between two interacting components, the calling component is incorrect. Likewise, if the called component does not obey library specification, it will be the one to take the blame. Both types of specification can be written using either propositional linear temporal logic (PLTL) or by regular expressions, and may contain claims about the component's state or the currently executing method. Java has been used as the implementation language on the approach because of the preexisting metadata mechanism (Java annotations) and good tool support. The tool implementation relies on aspect-oriented programming developed by Gregor Kiczales and his team at Xerox PARC in the late 90s. It employs annotation-guided generation of temporal safety aspects to synthesize the defined properties as behavioral invariants to the runtime execution of the program. The aspects simulate finite state automata which keep track of the state of the interaction and signal an exception in case of an error in it is observed

iMOOC : building a platform from existing software components

iMOOC is a new pedagogical model for massive open online courses (Teixeira & Mota, 2013), that evolved from UAb’s online model (Pereira et al., 2008), based on its four pillars of student-centered learning, interaction, flexibility and digital inclusion. It is also a software platform, that supports this model, and that was developed at UAb in close articulation with the pedagogical model. In this paper we describe the guidelines that oriented such development, and argue in favor of the use (or re-use) of well-established and robust software components for this purpose, as opposed to building platforms from scratch. The emergence of MOOCs as open courses, where participants have free access to the course, created new challenges in a closed, formatted LMS landscape. This led to the development of whole new environments that addressed those requirements (edX, Coursera). The iMOOC approach, however, was to build a platform from existing open source software components using an integration of Moodle (https://moodle.org/), which was previously adapted to UAb’s pedagogical model (Rocio & Coelho, 2009), and Elgg (http://elgg.org/), combining the advantages of both formal and informal learning modes, and addressing the pedagogical requirements in a cost-effective way. The integration was achieved using the IMS specification for LTI (learning tools interoperability) (Severance, 2010). As a result, the iMOOC platform has been successfully used both in stand-alone projects, and also in the european ECO project, where the effort to turn it project-compliant was relatively simple, due to the adoption of well-established protocols

A grammatical specification of human-computer dialogue

The Seeheim Model of human-computer interaction partitions an interactive application into a user-interface, a dialogue controller and the application itself. One of the formal techniques of implementing the dialogue controller is based on context-free grammars and automata. In this work, we modify an off-the-shelf compiler generator (YACC) to generate the dialogue controller. The dialogue controller is then integrated into the popular X-window system, to create an interactive-application generator. The actions of the user drive the automaton, which in turn controls the application

Interacting Components

SystemCSP is a graphical modeling language based on both CSP and concepts of component-based software development. The component framework of SystemCSP enables specification of both interaction scenarios and relative execution ordering among components. Specification and implementation of interaction among participating components is formalized via the notion of interaction contract. The used approach enables incremental design of execution diagrams by adding restrictions in different interaction diagrams throughout the process of system design. In this way all different diagrams are related into a single formally verifiable system. The concept of reusable formally verifiable interaction contracts is illustrated by designing set of design patterns for typical fault tolerance interaction scenarios