Ingrid Chieh Yu

Creol: a type-safe object-oriented model for distributed concurrent systems

Object-oriented distributed computing is becoming increasingly important for critical infrastructure in society. In standard object-oriented models, objects synchronize on method calls. These models may be criticized in the distributed setting for their tight coupling of communication and synchronization; network delays and instabilities may locally result in much waiting and even deadlock. The Creol model targets distributed objects by a looser coupling of method calls and synchronization. Asynchronous method calls and high-level local control structures allow local computation to adapt to network instability. Object variables are typed by interfaces, so communication with remote objects is independent from their implementation. The inheritance and subtyping relations are distinct in Creol. Interfaces form a subtype hierarchy, whereas multiple inheritance is used for code reuse at the class level. This paper presents the Creol syntax, operational semantics, and type system. It is shown that runtime type errors do not occur for well-typed programs.

A transformational proof system for delta-oriented programming

Delta-oriented programming is a modular, yet flexible technique to implement software product lines. To efficiently verify the specifications of all possible product variants of a product line, it is usually infeasible to generate all product variants and to verify them individually. To counter this problem, we propose a transformational proof system in which the specifications in a delta module describe changes to previous specifications. Our approach allows each delta module to be verified in isolation, based on symbolic assumptions for calls to methods which may be in other delta modules. When product variants are generated from delta modules, these assumptions are instantiated by the actual guarantees of the methods in the considered product variant and used to derive the specifications of this product variant.

Dynamic Classes: Modular Asynchronous Evolution of Distributed Concurrent Objects

Many long-lived and distributed systems must remain available yet evolve over time, due to, e.g., bugfixes, feature extensions, or changing user requirements. To facilitate such changes, formal methods can help in modeling and analyzing runtime software evolution. This paper presents an executable object-oriented modeling language which supports runtime software evolution. The language, based on Creol, targets distributed systems by active objects, asynchronous method calls, and futures. A dynamic class construct is proposed in this setting, providing an asynchronous and modular upgrade mechanism. At runtime, class redefinitions gradually upgrade existing instances of a class and of its subclasses. An upgrade may depend on previous upgrades of other classes. For asynchronous runtime upgrades, the static picture may differ from the actual runtime system. An operational semantics and a type and effect system are given for the language. The type analysis of an upgrade infers and collects dependencies on previous upgrades. These dependencies are exploited as runtime constraints to ensure type safety.

Type-Safe runtime class upgrades in creol

Modern applications distributed across networks such as the Internet may need to evolve without compromising application availability. Object systems are well suited for runtime update, as encapsulation clearly separates internal structure and external services. This paper considers a type-safe asynchronous mechanism for dynamic class upgrade, allowing class hierarchies to be updated in such a way that the existing objects of the upgraded class and of its subclasses gradually evolve at runtime. New external services may be introduced in classes and old services may be reprogrammed while static type checking ensures that asynchronous class updates maintain type safety. A formalization is shown in the Creol language which, addressing distributed and object-oriented systems, provides a natural framework for dynamic upgrades.

Context Aware Reconfiguration in Software Product Lines

Software Product Lines (SPLs) are a mechanism for large-scale reuse where families of related software systems are represented in terms of commonalities and variabilities, e.g., using Feature Models (FMs). While FMs define all possible configurations of the SPL, when considering dynamic SPLs not every possible configuration may be valid in all possible contexts. Unfortunately, common FMs can not capture this context dependence. In this paper, we remedy this problem by extending attributed FMs with Validity Formulas (VFs) that constrain the selection of a particular feature to a specific context and that are located directly within the FM. We provide a reconfiguration engine that checks if the active configuration is valid in the current context and, if not, computes how to reconfigure it. Furthermore, we present our implementation and demonstrate its feasibility within a case study derived from scenarios of our industry partner in the automotive domain.

ABS-YARN: A Formal Framework for Modeling Hadoop YARN Clusters

In cloud computing, software which does not flexibly adapt to deployment decisions either wastes operational resources or requires reengineering, both of which may significantly increase costs. However, this could be avoided by analyzing deployment decisions already during the design phase of the software development. Real-Time ABS is a formal language for executable modeling of deployed virtualized software. Using Real-Time ABS, this paper develops a generic framework called ABS-YARN for YARN, which is the next generation of the Hadoop cloud computing platform with a state-of-the-art resource negotiator. We show how ABS-YARN can be used for prototyping YARN and for modeling job execution, allowing users to rapidly make deployment decisions at the modeling level and reduce unnecessary costs. To validate the modeling framework, we show strong correlations between our model-based analyses and a real YARN cluster in different scenarios with benchmarks.

User Profiles for Context-Aware Reconfiguration in Software Product Lines

Software Product Lines (SPLs) are a mechanism to capture families of closely related software systems by modeling commonalities and variability. Although user customization has a growing importance in software systems and is a vital sales argument, SPLs currently only allow user customization at deploy-time. In this paper, we extend the notion of context-aware SPLs by means of user profiles, containing a linearly ordered set of preferences. Preferences have priorities, meaning that a low priority preference can be neglected in favor of a higher prioritized one. We present a reconfiguration engine checking the validity of the current configuration and, if necessary, reconfiguring the SPL while trying to fulfill the preferences of the active user profile. Thus, users can be assured about the reconfiguration engine providing the most suitable configuration for them. Moreover, we demonstrate the feasibility of our approach using a case study based on existing car customizability.

WebDPF: A web-based metamodelling and model transformation environment

Metamodelling and model transformation play important roles in model-driven engineering as they can be used to define domain-specific modelling languages. During the modelling phase, modellers encode domain knowledge into models which may include both structural and behavioral aspects of a system. The contribution of this paper is a new web-based metamodelling and model transformation tool called WebDPF based on the Diagram Predicate Framework (DPF). WebDPF supports multilevel diagrammatic metamodelling and specification of model constraints, and it supports diagrammatic development and analysis of model transformation systems. We show how the support for model transformation systems in WebDPF can be exploited to (i) support auto-completion of partial models thereby enhancing modelling efficiency, and (ii) provide execution semantics for workflow models. Furthermore, we illustrate how WebDPF incorporates a scalable model navigation facility designed to enable users to inspect and query large models.

Proof repositories for compositional verification of evolving software systems managing change when proving software correct

We propose a new and systematic framework for proof reuse in the context of deductive software verification. The framework generalizes abstract contracts into incremental proof repositories. Abstract contracts enable a separation of concerns between called methods and their implementations, facilitating proof reuse. Proof repositories allow the systematic caching of partial proofs that can be adapted to different method implementations. The framework provides flexible support for compositional verification in the context of, e.g., partly developed programs, evolution of programs and contracts, and product variability.

Tracking behavioral constraints during object-oriented software evolution

An intrinsic property of real world software is that it needs to evolve. The software is continuously changed during the initial development phase, and existing software may need modifications to meet new requirements. To facilitate the development and maintenance of programs, it is an advantage to have programming environments which allow the developer to alternate between programming and verification tasks in a flexible manner and which ensures correctness of the final program with respect to specified behavioral properties. This paper proposes a formal framework for the flexible development of object-oriented programs, which supports an interleaving of programming and verification steps. The motivation for this framework is to avoid imposing restrictions on the programming steps to facilitate the verification steps, but rather to track unresolved proof obligations and specified properties of a program which evolves. A proof environment connects unresolved proof obligations and specified properties by means of a soundness invariant which is maintained by both programming and verification steps. Once the set of unresolved obligations is empty, the invariant ensures the soundness of the overall program verification.