Michal Young

Foundations for the Arcadia environment architecture

Early software environments have supported a narrow range of activities (programming environments) or else been restricted to a single “hard-wired” software development process. The Arcadia research project is investigating the construction of software environments that are tightly integrated, yet flexible and extensible enough to support experimentation with alternative software processes and tools. This has led us to view an environment as being composed of two distinct, cooperating parts. One is the variant part, consisting of process programs and the tools and objects used and defined by those programs. The other is the fixed part, or infrastructure, supporting creation, execution, and change to the constituents of the variant part. The major components of the infrastructure are a process programming language and interpreter, object management system, and user interface management system. Process programming facilitates precise definition and automated support of software development and maintenance activities. The object management system provides typing, relationships, persistence, distribution and concurrency control capabilities. The user interface management system mediates communication between human users and executing processes, providing pleasant and uniform access to all facilities of the environment. Research in each of these areas and the interaction among them is described.

Residual test coverage monitoring

Structural coverage criteria are often used as an indicator of the thoroughness of testing, but complete satisfaction of a criterion is seldom achieved. When a software product is released with less than 100% coverage, testers are explicitly or implicitly assuming that executions satisfying the remaining test obligations (the residue) are either infeasible or occur so rarely that they have negligible impact on quality. Violation of this assumption indicates shortcomings in the testing process. Monitoring in the deployed environment, even in the beta test phase, is typically limited to error and sanity checks. Monitoring the residue of test coverage in actual use can provide additional useful information, but it is unlikely to be accepted by users unless its performance impact is very small. Experience with a prototype tool for residual test coverage monitoring of Java programs suggests that, at least for statement coverage, the simple strategy of removing all probes except those corresponding to the residue of coverage testing reduces execution overhead to acceptably low levels.

Combining static concurrency analysis with symbolic execution

Static concurrency analysis detects anomalous synchronization patterns in concurrent programs, but may also report spurious errors involving infeasible execution paths. Integrated application of static concurrency analysis and symbolic execution sharpens the results of the former without incurring the full costs of the latter when applied in isolation. Concurrency analysis acts as a path selection mechanism for symbolic execution, while symbolic execution acts as a pruning mechanism for concurrency analysis. Methods of combining the techniques follow naturally from explicit characterization and comparison of the state spaces explored by each, suggesting a general approach for integrating state-based program analysis techniques in a software development environment. >

Transactions with isolation and cooperation

We present the TIC (Transactions with Isolation and Cooperation) model for concurrent programming. TIC adds to standard transactional memory the ability for a transaction to observe the effects of other threads at selected points. This allows transactions to cooperate, as well as to invoke nonrepeatable or irreversible operations, such as I/O. Cooperating transactions run the danger of exposing intermediate state and of having other threads change the transactions state. The TIC model protects against unanticipated interference by having the type system keep track of all operations that may (transitively) violate the atomicity of a transaction and require the programmer to establish consistency at appropriate points. The result is a programming model that is both general and simple. We have used the TIC model to re-engineer existing lock-based applications including a substantial multi-threaded web mail server and a memory allocator with coarse-grained locking. Our experience confirms the features of the TIC model: It is convenient for the programmer, while maintaining the benefits of transactional memory.

Integrated concurrency analysis in a software development enviornment

The inherent difficulties of analyzing concurrent software make reliance on a single technique or a single monolithic tool unsatisfactory. A better approach is to apply multiple analysis and verification techniques by coordinating the activities of a variety of small tool components. We describe how this approach has shaped the design of a set of tool components to support concurrency analysis in the Arcadia-1 software development environment. Implementation and experience with key components is described.

Software environment architectures and user interface facilities

The authors discuss the demands and constraints on a user interface management system for a software environment, and the relation between the architecture of the environment and the user interface management system. A model for designing user interface management systems for large extensible environments is presented. This model synthesizes several recent advances in user interfaces and specializes them to the domain of software environments. The model can be applied to a wide variety of environment contexts. A prototype implementation is described. >

A concurrency analysis tool suite for Ada programs: rationale, design, and preliminary experience

Cats (Concurrency Analysis Tool Suite) is designed to satisfy several criteria: it must analyze implementation-level Ada source code and check user-specified conditions associated with program source code; it must be modularized in a fashion that supports flexible composition with other tool components, including integration with a variety of testing and analysis techniques; and its performance and capacity must be sufficient for analysis of real application programs. Meeting these objectives together is significantly more difficult than meeting any of them alone. We describe the design and rationale of Cats and report experience with an implementation. The issues addressed here are primarily practical concerns for modularizing and integrating tools for analysis of actual source programs. We also report successful application of Cats to major subsystems of a (nontoy) highly concurrent user interface system.

SLA Protection models for virtualized data centers

Enterprise services must satisfy strong requirements that are coded in agreements with customers, commonly called service level agreements (SLA). To satisfy SLAs in critical conditions, conventional data centers are often greatly over-dimensioned, wasting resources and raising service costs. Virtualized data centers (VDC) provide an opportunity to significantly reduce over-dimensioning, and so reduce service costs without negatively affecting service agreements, through dynamic adaptation. In this paper, we discuss the problems involved in creating self-adaptive enterprise services in virtualized data centers, and we investigate solution strategies. We envision a set of models that help adaptation controllers to identify suitable reactions to changes in service level agreement and environmental execution conditions. We introduce models at different abstraction levels, to support the evaluation of the impacts of adaptation actions on system and SLA. We explore the requirements and specify the characteristics of these models through a case study: a Video on Demand service delivered using VDCs.

How to leave out details: error-preserving abstractions of state-space models

Analyses based on state-space models of execution must omit some details of execution, in order to fold the infinite space of possible program executions into a sufficiently small space for analysis. These simplifications are generally justified by a claim that the resulting analysis is conservative with respect to a certain class of faults, i.e. that the simplification will not cause any faults to be overlooked in the analysis. The author formalized a notion of error-preserving abstractions which captures this claim, gives sufficient conditions for verifying this property in practical cases, and discusses the role of error-preserving abstractions in combining fault detection techniques.<<ETX>>

Re‐designing tasking structures of Ada programs for analysis: A case study

In previous publications the authors described a compositional (hierarchical) approach to reachability analysis of Ada tasking programs based on process algebra. The abstraction capabilities of process algebra provide an effective means to control state explosion in automated state‐space analysis, but only if a design is carefully modularized to encapsulate details of behaviour. This paper reports experience modifying an existing design (a remote temperature sensor system described by Sanden) to make it more amenable to hierarchical analysis. Redesign for analysis was effective in improving the design in other ways as well: flaws uncovered in the analysis (and present in the original design) were easy to understand and correct because of the increased understandability of the revised design. This also suggests that these flaws might have been avoided, and the design generally improved, had ‘design for analysis’ been applied from the start.